Skip to main content
  • Cybersecurity

Canadian implicated in NetWalker ransomware attacks

By Rob Williamson
Marketing Manager

The hacker in a hoodie is my least favourite overused metaphor for internet bad guys. Why?  Because it’s oversimplified and makes it feel benign.  Sure, the image matches one of the greatest TV shows ever on the subjectMr. Robothowever, when it comes to real life, hackers are far more sophisticated. 

In reality, cyber-crime is mostly organized crime, and are they ever organized. The people who make and distribute ransomware have technical documentation, “HR” recruiting policies, software updates, multi-language support that rivals any legitimate software company. This reality hit close to home today with the arrest of a Canadian man implicated in the distribution of NetWalker ransomware.

According toKrebsonsecurity:

As an aside, I would be remiss if I didn’t point out that the suspect is actually from Gatineau, Ottawa’s neighbour to the north and home of our CTO Jacques Latour…but I digress. 

Back to the story. NetWalker has been around for a while, and was created by a cybercrime group known as Circus Spider. In order to increase distribution, they moved their software to a web services model whereby they took a cut of every “transaction” rather than be the direct perpetrators of the crime. They posted a job looking for affiliates who had experience and access to networks. Just like a traditional job interview, they needed proof of competence and posted what successful applicants would receive for being hired.

The affiliatesor as mainstream media likes to call them, thievesthen use primarily phishing emails to target high-value organizations and install the malware. Some reports had indicated that healthcare institutions and COVID-19-related organizations were among the prime targets because they are typically understaffed in cybersecurity and have IT departments that are more designed to support health outcomes than network management.

To add even more alleged criminality to the story, the Canadian implicated in the crime has a history of drug trafficking offences. Krebsonsecurity cross-referenced the name to a drug charge in the same region for possession of more than 50,000 methamphetamine tablets. While we can’t confirm the relationship, the connection between organized crime and cyber-crime has been well documented.

So what should you do? As always, we recommend a defence-in-depth posture that puts layers of defence on the endpoint, the network, and outside the network in the cloud with something like CIRA’s DNS Firewall.  Since these attacks are typically distributed via phishing attempts, particularly spear phishing, we recommend that users are well trained to spot these types of scams.  And not just spot them, but to report them to the IT department.  In this way, they aren’t just “risks to mitigate” but, in fact, intelligent parts of your network’s defence.

This is especially critical in this instance because the hacking organization wants people who can spear phish high-value targets and not simply mass spam people and have those emails get caught in the mail filters. Why this matters is because it works. I have spoken with CIOs who have accidentally clicked on these types of malicious links when they were busy or distracted. If they are at risk, then think about those who’s job isn’t to know better.

This illustrates the benefit of having individuals in your organization report malicious emails and links so the IT team can block them. In a spear phish scenario, these links and emails may not already be part of mass block lists. The fact that this ransomware has caught very sophisticated organizations means that the payload is not being caught by their other layers of security.

In CIRA’s case, users of the CIRA Cybersecurity Awareness service can teach and test their employees to recognize malicious content with templates that are designed to trick (Canadian) users.

Sample phishing template in CIRA Cybersecurity Awareness Platform for illustration purposes

Most importantly, they can report the phish with a single click directly in their email client. If an IT team sees many users reporting the same thing they can investigate and act to remove the email and add any nefarious URLs to a threat block list.  Importantly, phishing is not the only issue. Nefarious software is distributed from all kinds of locations online that a typical user could be visiting. It could be a worksheet to help teach their kids math or even from a legitimate website that has been hacked to distribute illegitimate things. We see these situations all the time with the threat blocking in our CIRA DNS Firewall – so for both phishing and web surfing that is where it fits in the cybersecurity solution.

To conclude, the hacker in the hoodie bothers me so much is because it makes me think of simpler days. The days when hacking was just that dude down the hall in university who hacked the phone network for free long distance, a “victimless” crime. When a hacker wearing a cool sweater meant something meaningful in the fight against evil corporations run by shadowy figures.

Things were simpler then. Now it is just thieves ransoming people for money – and in the case of hospitals and it is literally life-or-death.

About the author
Rob Williamson

Rob brings over 20 years of experience in the technology industry writing, presenting and blogging on subjects as varied as software development tools, silicon reverse engineering, cyber-security and the DNS. An avid product marketer who takes the time to speak to IT professionals with the information and details they need for their jobs.