Netwalker, the Powerful New Strain of Ransomware Used Against Equinix

The colocation provider says it’s managed to mitigate successfully. Other victims weren’t so lucky.

Maria Korolov

September 21, 2020

6 Min Read
Netwalker, the Powerful New Strain of Ransomware Used Against Equinix
French Economy Minister Bruno Le Maire (R) listens to Regis Castagne (L), managing director of Southern European Equinix Data Center, during the inauguration of the Equinix data center in a suburb of Paris called PA8.JACQUES DEMARTHON/AFP via Getty Images

In a statement published on its website, Equinix said that the ransomware attack on its infrastructure disclosed earlier this month has been fully contained, with no customers affected and no data lost.

"Our mitigation efforts have yielded full containment of the recent security incident," the company said.

Equinix had said earlier that it was able to reach a milestone in its containment and mitigation efforts "that we believe will prevent the release of any data associated with this incident," and that all internal systems were close to being fully restored.

The company still hasn’t released details about the attack, but according to a report by BleepingComputer, the particular strain of ransomware involved was Netwalker, and attackers asked for $4.5 million in ransom. The attackers didn't just encrypt company systems and make them unusable, however. They also indicated that they stole files containing financial information, payroll, accounting, audits, and data center reports.

Equinix did not confirm any of these details in its statement. The company hasn’t responded to repeated requests for comment by DCK.

With 2019 revenue of $5.5 billion and around 200 data centers around the world, Equinix supports thousands of customers including many of the world’s largest corporations.

Related:Ransomware Has Crippled Your Data Center–Now What? update from October 2019

In August, a power outage at a London data center affected hundreds of Equinix clients, and there were many complaints about a lack of communication on the part of the data center provider. This time, however, Equinix posted regular updates about the attack and its response, even if the information provided was very limited.

In addition, there are no signs or public reports that any customers were affected, an indication that Equinix was well prepared for an attack of this type.

"Their internal systems were kept separate from clients' systems," said Katie Teitler, senior analyst at TAG Cyber, a security research firm. "This is one of the principles of zero trust, and one of the reasons zero trust has been so buzzworthy in the last few years. If Equinix's customers' systems had been touched, this would be an even bigger story."

What Is Netwalker?

The Netwalker ransomware that was allegedly used in the Equinix attack appears to have been involved in other recent high-profile attacks.

In June the University of California, San Francisco paid $1.14 million to attackers after ransomware took down servers at its school of medicine.

Netwalker is relatively new, having been active for about a year, according to a report by Heimdal Security, and was created by a group of Russian-speaking hackers.

Related:What We Can Learn from the Ransomware Attack That Crippled Norsk Hydro

In March it shifted to a ransomware-as-a-service model, and in April the group behind it started recruiting experienced network hackers to go after big targets like businesses, hospitals, and government agencies by looking for unpatched VPN appliances, weak Remote Desktop Protocol passwords, and exposed web applications.

The attackers use a pants-and-suspenders strategy to get their ransoms paid. They would first shut down systems, encrypt all the files on them, and delete all the backups they could find. But if their victims had a good, isolated set of backups and a robust recovery plan, they would have a second threat: they would post screenshots of the files they stole on their public website, and if the victims didn't pay up, they would expose the files themselves.

As a result, in March, April, May, June, and July the ransomware was used to extort $25 million from victims, according to McAfee.

For victims, the cost of the ransom is a small part of the total effect of the ransomware, as they lose business, pay for remediation, and incur other costs as part of their recovery efforts.

And then there's the part that nobody wants to talk about, said Caleb Barlow, president and CEO of CynergisTek, a privacy and security company. Barlow was previously an IBM security executive, leading the IBM X-Force Threat Intelligence organization.

"The real fear is not that they publish data, it’s that they change data," he said. "With the level of access required to wipe or publish data, you could also just as easily change it, and the problem for any company is that if you lose the integrity of your data, you then have to question everything moving forward."

In addition, the attackers could have established permanent footholds in your systems.

"If the adversary is still active on the network and you do not know where they are hiding, then further damage becomes a real concern," he said.

Ransomware Is On the Rise

Netwalker is just one of many active ransomware campaigns that have stepped up attacks recently.

According to the latest Beazley Breach Insights Report, the number of incidents involving ransomware in the first quarter of 2020 increased by 25 percent compared to the last quarter of 2019.

"Ransomware operations have kicked into high gear this year, hitting a number of large organizations," said Inga Goddijn, executive VP at Risk Based Security.

And no company is safe.

"The event at Equinix reinforces the old adage that no organization is immune from attack," she said. "Our researchers see hundreds of breach announcements every year that begin with the phrase ‘we take privacy and security seriously.’"

Often, the root cause comes down to basic security hygiene, since ransomware often comes in via unpatched systems, weak password, or phishing emails.

And data center providers are juicy targets.

"A cybercriminal group can minimally invest in a single human driver or automated ransomware attack but impact a large number of businesses – the data center's client base," said Francisco Donoso, director of global security strategy at Kudelski Security. "This means that their potential return on investment could be rather large. A single organization that was a client of the data center provider could pay for the decryption key, or the data center provider may be pressured to pay for the decryption key in order to restore critical services for their clients."

In April IT services and data center provider Cognizant was hit by a ransomware attack that could cost it between $50 million and $70 million, the company told investors in July.

This past Christmas Eve cloud hosting provider Data Resolution was brought down by a ransomware attack, according to security researcher Brian Krebs.

Also in December a ransomware attack hit CyrusOne's managed services division, affecting six customers at its New York data center.

Other data center providers hit by ransomware last year include SmarterASP.NET, A2 Hosting, and iNSYNQ. In all three cases, it took weeks to fully recover customer data.

On-prem enterprise data centers are also vulnerable.

In the spring of 2019 a ransomware attack against Oslo-based aluminum producer Norsk Hydro cost the company between $72 and $83 million, only $24 million of which was covered by cyber insurance, the company said in an annual report released earlier this year.

And the costliest ransomware attack so far this year was against Denmark-based facilities management company ISS World. In March the company told investors that it will cost between $71 and $127 million to recover.

"One of the main takeaways is that no organization or network is entirely safe from a ransomware attack," said Jamie Hart, cyber threat intelligence analyst at Digital Shadows, a San Francisco-based cybersecurity company. "Vulnerabilities can be found, systems can be misconfigured, and employees can be misled."

Data center managers should double-check that their remote desktop protocol servers are secure and do not allow open internet connections, he said, that they use multifactor authentication, that privileges are limited to the least needed, that the number of administration accounts is minimized, and that all software and systems are patched and updated.

Data centers should also have a response plan in place, practice that plan, and train employees to spot phishing attacks.

Read more about:


About the Author(s)

Maria Korolov

Maria Korolov is an award-winning technology journalist who covers cybersecurity, AI, and extended reality. She also writes science fiction.

Subscribe to the Data Center Knowledge Newsletter
Get analysis and expert insight on the latest in data center business and technology delivered to your inbox daily.

You May Also Like