BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
Global rank
Month rank
79 infographic chevron week
Week rank

Netwalker is ransomware — it belongs to a malware family which encrypts files and demands users to pay a ransom to get their data back. Netwalker utilizes several sophisticated techniques, such as process hollowing and code obfuscation to target corporate victims.

1 August, 2019
First seen
23 April, 2024
Last seen
Also known as

How to analyze Netwalker with ANY.RUN

1 August, 2019
First seen
23 April, 2024
Last seen


Last Seen at

Recent blog posts

post image
ANY.RUN attends Osintomático 2024
watchers 48
comments 0
post image
Windows 11 UAC Bypass in Modern Malware
watchers 657
comments 0
post image
New Hijack Loader Variant: Uses Process Hollo...
watchers 564
comments 0

What is Netwalker ransomware?

Netwalker, also called Mailto is a Ransomware — malware that encrypts files on infected devices and uses lost information as leverage to make the victim pay a ransom in exchange for the lost access to their data.

Although Netwalker is relatively novel, having been discovered in August 2019, it has already been featured in successful attacks against multiple companies. And amidst the Coronavirus pandemic, it started using the virus-related emails to play on natural fears and potentially infiltrate more networks.

General description of Netwalker ransomware

Netwalker usually targets businesses and corporate victims, infiltrating a corporate network and spreading to all connected Windows PCs. One of the first campaigns where this ransomware was seen included an attack on an Australian company Toll Group, which temporarily paralyzed over 1000 endpoints in February 2019.

Since then the malware has continued to stay active but changed the distribution method to take advantage of the chaos caused by the COVID 19 pandemic, heavily utilizing phishing techniques. In addition, Netwalker started targeting medical and healthcare institutions, since they are potentially the most vulnerable due to the pandemic.

Netwalker ransomware is considered highly dangerous since it incorporates advanced anti-detection and persistence mechanisms. What’s more, successful attacks in the past prompted the FBI and the U.S Department of Homeland Security to issue warnings about this malware.

Netwalker indeed has several advanced features. For example, experts report that this malware utilizes process hollowing, a technique that allows the attackers to execute the malware while masing it with a legitimate process, “explorer.exe” in the case of Netwalker. Thus, the malware cannot be detected simply by looking at the list of processes, since it does not trigger the occurrence of any suspicious processes.

The malware also may copy itself into “AppData” subfolders and use a registry key to automatically launch itself and survive system reboots, achieving persistence in the infected system.

Additionally, Netwalker features code obfuscation to complicate the static analysis of the samples. The malware encodes all strings in its source code to prevent the analysts from easily reading its code.

It should also be noted that after encrypting the targeted files, depending on the version the malware can append the string “mailto” to filenames. This is how the first known name of this Ransomware was created. The name was later changed, after researchers analyzed a discovered decryptor, and found out that the original creator likely called the software “Netwalker”.

Malware analysis of Netwalker ransomware

The ANY.RUN malware hunting service features a video that displays the complete execution process of Netwalker.


Figure 1: Shows the graph of processes created by the ANY.RUN interactive malware analysis service


Figure 2: Netwalker ransom note

Netwalker ransomware execution process

In general, the execution process of Netwalker is not much different from other ransomware like Ryuk. At first, Netwalker was distributed as an executable file, but then it soon started utilizing script files such as VBS and Powershell. After the ransomware makes its way into an infected system and runs, the main malicious activity begins. Like many other ransomware families, Netwalker deletes shadow copies. After the encryption process ends, this ransomware often stops its process and deletes itself. Like other malware of this type, it creates a text file with a ransom note and drops it in every directory that contains encrypted files. The ransom note file opens on the desktop after the encryption process is ended. Also, Netwalker uses the process hollowing technique to inject the payload into ‘explorer.exe’.


Figure 3: Netwalker versions process tree comparison: first is executable file, second is VBS script, and third is Powershell script

Distribution of Netwalker malware

The malware uses multiple attack vectors to infiltrate the networks of its targets. It can utilize mail spam, web-injects, botnets, exploits, fake software updates, infected installers, and hacks that utilize insecure RDP configurations.

For example, it has been seen masquerading as a real software product “Sticky Password”. “Sticky Password” is a password management application developed by AVG Technologies — a very well-known player in the cybersecurity industry.

Another attack vector is using VBS scripts distributed via Coronavirus-themed spam email campaigns.

How to detect Netwalker ransomware using ANY.RUN?

Netwalker ransomware can be detected by several different activities — such as by finding the keys that it adds into the registry or by certain files that it creates. However, the most reliable way is finding the Netwalker ransom note — not only does it have similarities with notes from other tasks, but after getting an update, this malware started adding self-defining strings: "Your files are encrypted by Netwalker."

Analysts can take a look at these notes by using ANY.RUN Static Discovering. Click on the "Files modification" tab, then find the file with the name such as "{encrypted files extension}-Readme.txt". To take a look inside this file just click on it.

If you find the line above, then be sure that the sample you are dealing with is Netwalker ransomware. With ANY.RUN you can also analyze other types of malware such as Crimson RAT.


Figure 4: How to detect Netwalker ransomware using ANY.RUN


Thanks to the use of advanced persistence and anti-evasion mechanisms, Netwalker is a serious threat to the cybersecurity of organizations. This malware is one of those malicious programs that quickly started utilizing the Coronavirus pandemic for its benefit, which may point to the adaptability of the cyber-gang behind it. Thus, we can be quite certain that Netwalker attacks will continue to happen going forward.

What’s more, usually building a cyber defense against malware that uses code obfuscation is not the easiest task, since the only way to learn about the malicious program is through dynamic analysis, which demands significant time and resources.

01/28/20 Update: In January 2021 US and Bulgarian law enforcement agencies teamed up against NetWalker. Bulgarian authorities took over domains in a dark web used by malware actors. It was used to provide ransom instructions and connect with victims.

Sebastien Vachon-Desjardins, a Canadian citizen, was charged in a Florida court, that accused him of obtaining over $27.6 million from infecting companies with NetWalker. On January 10th, authorities managed to seize $454,530.19 in cryptocurrency, which is made up of payments made by malware victims.

ANY.RUN malware hunting service enables researchers to perform dynamic analysis in an interactive and safe online environment with our user-friendly tools and help learn as much as possible about this and other similar ransomware threats.


Adwind screenshot
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy