This threat report is about the NetWalker ransomware previously known as Mailto. Since it was first detected in August 2019, NetWalker has quickly evolved and is now considered highly dangerous due to its implementation of advanced anti-detection and persistence techniques.
This report gives a technical analysis of its recently-observed behavior, as well as preventative measures that can be implemented to protect against NetWalker’s highly effective extortion efforts.
Related Reading: Ragnar Locker Ransomware New Invasion Technique
Although variants of NetWalker have been observed since August 2019, there has been a significant increase in prevalence since March 2020.
As the threat has evolved over the past few months, its establishment as a robust ransomware-as-a-service (RaaS) model has been evident. This enables even novice cybercriminals to launch a successful ransomware attack against targets.
NetWalker has been observed primarily infiltrating large-scale corporate networks. Researchers have linked large sums of bitcoin to ransomware, indicating its extortion efforts have likely been effective.
The following shows the global prevalence of these attacks:
As the evolution of this malware has progressed, researchers have observed the implementation of more sophisticated defense evasion techniques along with other advanced features making these attacks more difficult to investigate by security analysts.
In one recently analyzed case, the payload began with a PowerShell script that was executed directly in memory. No ransomware binary was stored on the disk, this enabled the malware to maintain persistence and evade detection by performing the attack through tools that were already present in the system.
One of the techniques leveraged with this process is referred to as "reflective DLL injection". This allows a DLL injection from memory rather than from a disk. This method does not require an actual DLL file on a disk or a Windows loader for injection, allowing evasion from DLL load monitoring tools.
In this case, the ransomware DLL was injected into the memory of the legitimate process explorer.exe. The diagram below shows a graphical representation of the PowerShell script observed in this variant of NetWalker:
The malware’s first action in the executable process is to combine all required functions into one, combining the Windows modules with additional DLLs.
The malware also uses Process Environment Block (PEB) to inhibit analysis. If the malware fails to obtain its configuration file, it will terminate itself.
After successful completion of all encryption actions, the malware shows a ransom note, displayed in Notepad, informing the user of what has happened and threatening permanent data loss if the ransom is not paid. After all ransom actions have been completed, the malware attempts to remove itself to avoid being detected or analyzed.
Further technical information can be found linked in the Sources section below.
Related Reading: Ransomware Prevention to Incident Response
Employing adequate preventative measures greatly minimizes the risk of being infected. One of the most effective methods is having good security policies and practices in place before an incident occurs:
Although the complications of a ransomware attack can be detrimental, it is only one of many ways critical data can be lost. Because of this, it is imperative that companies have a regular backup routine in place. Data backed up should also be moved to an isolated location off-site for protection in the case that ransomware or any other location-specific event were to occur.
Related Reading: 5 Ways to Prevent Ransomware
In the unfortunate event that ransomware is active in your environment, keep in mind that paying the ransom does not guarantee you will receive the decryption key to get your data back.
It is also not guaranteed that you will not be infected again shortly after, since the vulnerabilities in your infrastructure that caused the infection, to begin with, are still exposed and susceptible to attack.
Finally, the more victims who pay the ransom, the more profitable it is for cybercriminals, so this response encourages the continuation of these attacks.
IBM X-Force Exchange (IOC list):
MITRE ATT&CK Techniques:
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Deciding between running an in-house SOC vs. using managed security services (MSS) to add more rigor, more relevance, and more responsiveness to your cybersecurity program? Compare the two options. Download the e-book!