BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
63
Global rank
66
Month rank
62
Week rank
26
IOCs

Netwalker is ransomware — it belongs to a malware family which encrypts files and demands users to pay a ransom to get their data back. Netwalker utilizes several sophisticated techniques, such as process hollowing and code obfuscation to target corporate victims.

Ransomware
Type
Unknown
Origin
1 August, 2019
First seen
22 September, 2023
Last seen
Also known as
Mailto

How to analyze Netwalker with ANY.RUN

Type
Unknown
Origin
1 August, 2019
First seen
22 September, 2023
Last seen

IOCs

Hashes
4f7bdda79e389d6660fca8e2a90a175307a7f615fa7673b10ee820d9300b5c60
d6a73a29eef440065345adbd39891779a987f65736793fa1fde06e277b0816fd
2a6906003793f2c4835b6c080d1134156ba2e0e27642bf0ab22bd7a81a969ab1
0afd99c3f7593c760c4001313963f3e7fd709ca56046044033d790602a8cb378
5d869c0e077596bf0834f08dce062af1477bf09c8f6aa0a45d6a080478e45512
d950a94534129202aa308f22d6c3d33f71af884d5556671a2b7f6ba8994cc995
a6fdbcacfebfcb8bad7c2d0e4b3ae223b756b2991e07578e33db34eb06eab3e5
ef3c53a9fa631dc0b6f96591590aa5c2150ba95a41b12fff3f0e50c0d0da6870
57cf4470348e3b5da0fa3152be84a81a5e2ce5d794976387be290f528fa419fd
b3e649a6ba9f6078fd0cd9844f150d0ae58065094e683a5b5f7a6d171a73921b
3ba905e1cda7307163d4c8fe3fd03c2fbce7eda030522084e33d0604c204630e
6d85f0c090909e9fe520cae86e0f295c1f67309f37d97eda2e4d93eb01251ea4
46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9
9c6d7dbe229d4257bc12df969637e773472892d80129416239d7a11edc7c7e82
f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86
353f3cad40f4deec18261c649f07e018fdd592b706f6aed709d7cb5ab3844715
ac6310c94c814ce3e07c0977e52b748c1040493118e48fda29f36d475ceea4a7
c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010
c414bbb789af8e3fb93b33344b31f1991582ec0f06558b29a3178d2b02465c72
ee28b32d1414368925cb9deea64c48af576718c38cb5bacf939b4fc9dbea5bad
Last Seen at

Recent blog posts

3 Cybersecurity Events ANY.RUN Attended in No...
watchers 140
comments 0
5 malware threats we discovered in the wild i...
watchers 343
comments 0
RisePro Malware Analysis: Exploring C2 Commun...
watchers 2311
comments 0

What is Netwalker ransomware?

Netwalker, also called Mailto is a Ransomware — malware that encrypts files on infected devices and uses lost information as leverage to make the victim pay a ransom in exchange for the lost access to their data.

Although Netwalker is relatively novel, having been discovered in August 2019, it has already been featured in successful attacks against multiple companies. And amidst the Coronavirus pandemic, it started using the virus-related emails to play on natural fears and potentially infiltrate more networks.

General description of Netwalker ransomware

Netwalker usually targets businesses and corporate victims, infiltrating a corporate network and spreading to all connected Windows PCs. One of the first campaigns where this ransomware was seen included an attack on an Australian company Toll Group, which temporarily paralyzed over 1000 endpoints in February 2019.

Since then the malware has continued to stay active but changed the distribution method to take advantage of the chaos caused by the COVID 19 pandemic, heavily utilizing phishing techniques. In addition, Netwalker started targeting medical and healthcare institutions, since they are potentially the most vulnerable due to the pandemic.

Netwalker ransomware is considered highly dangerous since it incorporates advanced anti-detection and persistence mechanisms. What’s more, successful attacks in the past prompted the FBI and the U.S Department of Homeland Security to issue warnings about this malware.

Netwalker indeed has several advanced features. For example, experts report that this malware utilizes process hollowing, a technique that allows the attackers to execute the malware while masing it with a legitimate process, “explorer.exe” in the case of Netwalker. Thus, the malware cannot be detected simply by looking at the list of processes, since it does not trigger the occurrence of any suspicious processes.

The malware also may copy itself into “AppData” subfolders and use a registry key to automatically launch itself and survive system reboots, achieving persistence in the infected system.

Additionally, Netwalker features code obfuscation to complicate the static analysis of the samples. The malware encodes all strings in its source code to prevent the analysts from easily reading its code.

It should also be noted that after encrypting the targeted files, depending on the version the malware can append the string “mailto” to filenames. This is how the first known name of this Ransomware was created. The name was later changed, after researchers analyzed a discovered decryptor, and found out that the original creator likely called the software “Netwalker”.

Malware analysis of Netwalker ransomware

The ANY.RUN malware hunting service features a video that displays the complete execution process of Netwalker.

netwalker_ransomware_execution_process_graph

Figure 1: Shows the graph of processes created by the ANY.RUN interactive malware analysis service

netwalker_ransom_note

Figure 2: Netwalker ransom note

Netwalker ransomware execution process

In general, the execution process of Netwalker is not much different from other ransomware like Ryuk. At first, Netwalker was distributed as an executable file, but then it soon started utilizing script files such as VBS and Powershell. After the ransomware makes its way into an infected system and runs, the main malicious activity begins. Like many other ransomware families, Netwalker deletes shadow copies. After the encryption process ends, this ransomware often stops its process and deletes itself. Like other malware of this type, it creates a text file with a ransom note and drops it in every directory that contains encrypted files. The ransom note file opens on the desktop after the encryption process is ended. Also, Netwalker uses the process hollowing technique to inject the payload into ‘explorer.exe’.

netwalker_versions_process_tree_comparison

Figure 3: Netwalker versions process tree comparison: first is executable file, second is VBS script, and third is Powershell script

Distribution of Netwalker malware

The malware uses multiple attack vectors to infiltrate the networks of its targets. It can utilize mail spam, web-injects, botnets, exploits, fake software updates, infected installers, and hacks that utilize insecure RDP configurations.

For example, it has been seen masquerading as a real software product “Sticky Password”. “Sticky Password” is a password management application developed by AVG Technologies — a very well-known player in the cybersecurity industry.

Another attack vector is using VBS scripts distributed via Coronavirus-themed spam email campaigns.

How to detect Netwalker ransomware using ANY.RUN?

Netwalker ransomware can be detected by several different activities — such as by finding the keys that it adds into the registry or by certain files that it creates. However, the most reliable way is finding the Netwalker ransom note — not only does it have similarities with notes from other tasks, but after getting an update, this malware started adding self-defining strings: "Your files are encrypted by Netwalker."

Analysts can take a look at these notes by using ANY.RUN Static Discovering. Click on the "Files modification" tab, then find the file with the name such as "{encrypted files extension}-Readme.txt". To take a look inside this file just click on it.

If you find the line above, then be sure that the sample you are dealing with is Netwalker ransomware. With ANY.RUN you can also analyze other types of malware such as Crimson RAT.

how_to_detect_netwalker_ransomware

Figure 4: How to detect Netwalker ransomware using ANY.RUN

Conclusion

Thanks to the use of advanced persistence and anti-evasion mechanisms, Netwalker is a serious threat to the cybersecurity of organizations. This malware is one of those malicious programs that quickly started utilizing the Coronavirus pandemic for its benefit, which may point to the adaptability of the cyber-gang behind it. Thus, we can be quite certain that Netwalker attacks will continue to happen going forward.

What’s more, usually building a cyber defense against malware that uses code obfuscation is not the easiest task, since the only way to learn about the malicious program is through dynamic analysis, which demands significant time and resources.

01/28/20 Update: In January 2021 US and Bulgarian law enforcement agencies teamed up against NetWalker. Bulgarian authorities took over domains in a dark web used by malware actors. It was used to provide ransom instructions and connect with victims.

Sebastien Vachon-Desjardins, a Canadian citizen, was charged in a Florida court, that accused him of obtaining over $27.6 million from infecting companies with NetWalker. On January 10th, authorities managed to seize $454,530.19 in cryptocurrency, which is made up of payments made by malware victims.

ANY.RUN malware hunting service enables researchers to perform dynamic analysis in an interactive and safe online environment with our user-friendly tools and help learn as much as possible about this and other similar ransomware threats.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy