What is Netwalker Ransomware? Attack Methods & Protection Tips

Since ransomware was founded in 1996, many ransomware gangs have attempted and failed to quake the cybersecurity landscape. But some have broken through and even rearranged it with their obfuscatory cyberattack methods.

Netwalker ransomware is an example of such a success. Within its first six months of operation, the ransomware gang received more than $25 million in ransom payments.

What is Netwalker ransomware and why is it so lethal?

To learn more, read on.

What is Netwalker Ransomware?

Netwalker ransomware is a Window's specific ransomware that encrypts and exfiltrates all of the data it beaches. After a successful attack, victims are presented with a ransom note demanding a bitcoin payment in exchange for a full decryption of the compromised data.

The secret behind Netwalker's ransom payout success lies in their double-extortion tactic, a strategy also used by the notorious ransomware gang Maze. A sample of the breached sensitive data is instantly published on the dark web as proof of the breach. Victims are presented with this evidence and given an ultimatum to pay the ransom price to avoid further publishing on the criminal infested network.

The cybercriminals group behind the Netwalker ransomware is known as Circus Spider.

How Did Netwalker Ransomware Become Popular?

In March 2020, Netwalker ransomware shifted to a Ransomware-as-a-Service model (RaaS). This is an adaptation of the Software-as-a-Service model. Criminal affiliates sign up to launch cyberattacks with the ransomware.

SaaS products empower users to execute complex processes, in just about any industry, without coding expertise. LIkewise, RaaS solutions empower even the most novel hackers to execute highly sophisticated ransomware attacks.

Since shifting to an RaaS model, Netwalker expanded its global reach in a very short period of time. Criminal affiliates receive an extravagant percentage of each ransom payment, and with an unlimited earning potential, they're motivated to rapidly spread the ransomware far and wide.

But multiplying RaaS affiliates is not the only key to achieving a heinous global reputation. Even though RaaS solutions don't require expert hackers, it does help to be one.

Cybersecurity defenses now consist of complex firewall layers and secure VPNs. To infiltrate these barriers, you cannot solely rely on the RaaS solution. You need additional hacking expertise to tailor breaching solutions for each unique breaching problem.

With such an expert network, each affiliate's chances of penetration will be high, and with the resulting successful breach streak, the utilized RaaS tool will build upon its rapidly developing reputation.

To recruit these expert affiliates, Circus Spider posted invitations to their affiliate program, alongside a list of essential criteria, in Russian criminal forums on the dark web.

Netwalker ransomware affiliates need to:

  • Be fluent Russian-speaking and Russian-typing hackers
  • Have extensive ransomware attack experience
  • Have extensive network penetration experience
  • Have an extensive list of high profile targets
  • Be capable of providing evidence of all their experience.

in a leaked recruitment post, it was discovered that Circus Spider broaden their focus to internet-exposed Remote Desktop Protocols (RDPs) rather than just the ubiquitous spear-phishing attack vector.

To make their offer tantalising, Circus Spider published a list of benefits for successful candidates including:

  • Unlimited access to autocrypt.exe after the first payout of at least 10 BTK
  • Access to a PowerShell (a method of distributing ransomware via an email attachment) after the first payout of at least 10 BTK
  • Opportunity to personally work for the ransomware gang on a contractual basis

Netwalker ransomware affiliates are well looked after. Compared to other RaaS solutions, Netwalker is on the generous end of the spectrum, paying their affiliates up to 80% of each successful ransom payment.

With their army of seasoned threat actors at the ready, Netwalker (also known as mailto) launched their first wave of RaaS attacks in March 2020.

The cybercrime network worked relentlessly, tipping over business after business, taking advantage of global coronavirus distractions.

Who Does Netwalker Target?

Netwalker attackers even targeted the healthcare sector, tricking staff into injecting the malware through Covid-themed phishing emails. These attacks were severe enough to prompt a flash alert by the FBI in July 2020.

Some of Netwalker's notable victims included:

Besides the health sector, the following industries are also targeted by Netwalker:

  • Business management solutions
  • Customer experience management
  • Manufacturing
  • Education and battery management

Netwalker spread their net over a digital world that overlooked its security posture amid the pandemic chaos, claiming victims over a majority of the globe in a few short months.

Global prevalence of Netwalker ransomware
Global prevalence of Netwalker ransomware - source: mcafee.com

How Does Netwalker Ransomware Work?

Netwalker ransomware is most commonly introduced into an ecosystem via phishing emails. These emails appear to come from legitimate sources, so recipients are tricked into click on links and downloading attachments.

In their machiavellian Covid-themes phishing emails, Netwalker attached a visual basic script titled CORONAVIRUS_COVID-19.vbs

Netwalker phishing email attachment
Netwalker phishing email attachment - source: bleepingcomputer.com

Here's an example of a Netwalker phishing email.

Covid phishing email netwalker ransomware
Covid-themed Netwalker phishing email - source: ncsc.org

When these phishing email scripts are activated, the executable saved in the victim's temp folder and the attack is initiated.

netwalker executable save destination
Netwalker executable is saved in the temp folder - source: bleepingcomputer.com

Victims are unaware of anything unusual happening as the Netwalker ransomware infects their systems. This is because the malware operates clandestinity under the guide of legitimate Microsoft processes. This is achieved through a technique known as 'process harrowing', where code from Microsoft's executable is replaced with Netwalker's malicious code to access

Netwalker then initiates a mass exfiltration of all the breached sensitive data, The stolen data is also heavily encrypted to prevent victims from getting access to the compromised data.

Only when the attack is complete does the victim notice that their system has been compromised. A ransom note left by attackers in a TXT file confirms any suspicions.

Netwalker ransom note
Netwalker ransom note - source mcafee.com

After the ransom note has been deployed, a subset of the exfiltrated data is published on the dark web and shown to the victim as proof of the successful breach. This is when the clock starts ticking and victims are pressured to make the ransom payment to avoid further sensitive data being published on the dark web.

Victims are instructed to submit their ransom payment via an anonymous communication network, through a TOR browser portal

Netwalker payment gateway
Newalker's payment gateway on TOR network - source: elmundo.es

Victims are provided with a decryption tool for their specific Netwalker variant when a ransom payment is made.

Learn more about how to decrypt ransomware.

How to Protect Yourself from Netwalker Ransomware

The following mitigation procedures are recommended to defend your business from Netwalker attacks.

Backup all of your data on external hard drives

External hard drives should not replace cloud storage, but rather complement it. Offline backups are very difficult to penetrate and they'll become your primary source of truth if your cloud data is compromised.

Implement a highly efficient and regulatory external hard drive back up process.

Enforce two-factor authentication

Ensure you and all of your staff enable two-factor authentication for all of your processes. Though it may cause vexation at times, this security barrier is still one of the most effective defenses against cyber attacks.

Ensure all software patches are up to date

Outdated software is not protected by the latest security patches. Vendors are always developing security updates to ensure their customers are not breached through vulnerabilities in their software.

This includes regularly updating your antivirus and anti-malware software.

Regularly update endpoint passwords

Ensure your endpoint passwords are highly secure and updated regularly. You should also enable two-factor authentication for all your endpoints.

Monitor your security posture

Netwalker ransomware, like all ransomware, penetrates through vulnerabilities in a business's security defences. By continuously monitoring and strengthening your security posture, you will dramatically decrease your chances of falling victim to a Netwalker attack.

Implement a third-party risk management solution

Cyberattacks often slip through the defenses of your vendors, placing your business as the next victim in line for an attack. As evidenced by Netwalker's RAPID growth, cyber attacks move at lightning speed, so you cannot solely rely on your vendors to notify you of a breach before it's too late.

By implementing a third-party risk management solution, you'll be equipped to prevent third part breaches and discover potential vendor risks.

Is your business at risk of a Netwalker attack?

At UpGuard, we can help you strengthen your security posture to effectively defend against ransomware attacks. Our patented cybersecurity technology also continuously monitors for vulnerabilities in your entire vendor network to prevent cyber attacks from compromised third parties.

Continue Learning about Cyber Threats

Ready to see
UpGuard in action?