NetWalker ransomware (AKA Mailto), discovered in August 2019, was initially named Mailto based on the extension that was appended to encrypted file. Further analysis of one of its decryptors indicates that its actual name is NetWalker, primarily targeting enterprise and government sectors.
Mailto is not the first new ransomware variant discovered using novel methods in the fight against security breaches. A Snatch ransomware strain reboots a victims' computers to Safe Mode to disable any resident antimalware solutions, and immediately starts encrypting files when the system restarts.
NetWalker Attack History
NetWalker attacks follow several predictable paths, including:
In September 2019, security researchers discovered "Mailto", a new ransomware family, initially named for the extension that was appended to encrypted files.
In January 2020, NetWalker was used to attack a Spanish Hospital - Torrejón, launched through phishing emails to healthcare personnel, and eventually leading to two weeks of hospital lockdown to perform a system recovery.
On January 31st, Mailto ransomware attacked Toll Group, an Australian transportation and logistics company, encrypting all the windows devices connected to the company network. More than 1000 servers were infected, forcing Toll Group to shut down much of its IT infrastructure. Toll Group was attacked again in short order by a relatively new form of ransomware known as Nefilim, first discovered in March 2020, evolved from the Nemty ransomware family, and distributed through exposed Remote Desktop Protocol (RDP) service.
In February 2020, the Australian Cyber Security Centre (ACSC), a subsidiary of the Australian Signals Directorate (ASD), posted a Mailto ransomware alert, indicating that Mailto ransomware attacks had been confirmed throughout the region.
Hackers next used NetWalker ransomware to infect the Champaign-Urbana Public Health District website in Illinois in March of 2020, amid the Coronavirus pandemic, resulting in the website being taken down and employees unable to access to their medical documents and files.
In May 2020, Northwest Territories Power Corporation’s (NTPC), a Canadian power company, was attacked by NetWalker, leading to the official website being shut down.
After the attack on Northwest Territories Power Corporation, NetWalker ransomware adopted the same behavior pattern as other popular ransomware attackers, by publicly releasing stolen data if the ransom was unpaid.
Analysis of open data revealed that hackers had exfiltrated data from victims during the ransomware attacks, and had saved the sensitive information for later publication if the organizations did not respond to the extortion demands, or to publish in conjunction with the paid ransom, hoping to get a double-payday. In November 2019 Maze Ransomware started to publish stolen information to the web, inspiring other cybercriminal groups like Maze, Sodinokibi/Revil, DopplePaymer, Clop, Sekhmet, Nephilim, Mespinoza and NetWalker, to do the same. Many launched their own websites to publish and leak stolen data as a tactic to threaten victim organizations into paying the ransom.
Below is a list of the organizations with data leakage, published by the Ransomware operators:
Barbizon Capital was attacked and data stolen on 13rd May 2020.
Nichols, Rick and Company, a full service public accounting firm based in Silicon Valley, CA, was attacked on 14th May 2020, suffering 15GB of data leakage including a number of confidential and financial documents belonging to both the company and their clients. Below are screenshots of the leaked folders:
The City of Weiz was attacked on May 20th, resulting in leaked confidential data. (https://www.weiz.at/
Valuation Research Corporation was attacked on May 23rd, resulting in the NetWalker operator leaking over 100 employees’ information, information which was deleted, it is conjectured that the victim has paid the ransom demand. (https://www.valuationresearch.com/
On May 24th, NetWalker operators targeted a textiles company - Porcher industries.
Apparel company, Colmar, was attacked using NetWalker on May 24th.
Also on May 24th, NetWalker operators leaked client log data stolen from Bollore Logistics, one of the 500 largest companies in the world, and one of the 200 largest companies in Europe.
On May 25th, 2020, NetWalker operators leaked data from the Australia SFI Health institution.
The Australia Customer Service Company Stellar was attacked on May 26th, 2020, leaking sensitive data and information.
As you can see, NetWalker is prolific and widespread, with many more attacks both published and unpublished over the course of a very short time.
NetWalker Operation Flow Analysis
NetWalker operators have been recruiting affiliates since March 2020, hoping to expand its range of activities. Their online posts highlight some of the huge ransoms they had received from their victims, with ransom payments averaging between $696,000 - $1.5 Million USD. They offer potential affiliates 70% of the paid ransom amount, promising the attractive sum of between $487,000 - $1 million from each successful ransom payment.
In lieu of large million dollar pay-offs, NetWalker operators also created a leak site on the dark web as a platform for their recruited affiliates to upload links to stolen data and set automatic countdown deadlines for data publication. NetWalker operators took things to the next level, by allowing their affiliates to create posts, which include the victim's name, description, links to their data, password for data files, and the time and date the data would be leaked. The website shows a countdown associated with a particular victim's data in an effort to force them to consider making the payment. When the countdown is complete, the leaked data is automatically published with a link and password. The data is most often hosted on the file-sharing website MEGA. After NetWalker operators started earning huge amounts using this method, they focused on recruiting the best talent for their group, boosting organization and attack method options.
In the last few months, NetWalker has become very active, transitioning to a RaaS (Ransomware as a Service) delivery model, thoroughly changing its business development methods. This new business model enables NetWalker to work with other experienced hacker organizations to spread ransomware in larger networks, threatening more victims and ensuring that the ransomware trend is consistently profitable.
NetWalker published their ransomware alliance program statement on March 19th, 2020, introducing their goals and making it clear that they are seeking to work with quality hackers, setting them apart from other, less discriminating ransomware operators. Many ransomware operators only employ native speakers from their country of operation (i.e. Russian speaking hackers only employed in Russia). NetWalker also provides information specific to a targeted victim as a reward to potential members, sometimes including IP addresses, domain administrator account details, Network Attached Storage (NAS) access, and organization name and revenue. After NetWalker's RaaS model had been available for a month (April 19th, 2020), NetWalker updated their member requirements, announcing that they were seeking a Russian speaker, experienced in attacks beyond phishing, for new and ongoing projects. Traditional cybercrime organizations use large-scale phishing to infiltrate target networks, a task normally allocated to amateur hackers. According to NetWalker’s recruitment statement, they have decided to break tradition and selectively create an exclusive group of top-level cyber intruders to execute their new RaaS business model.
Through analysis of previous cases and recruitment statements, it was confirmed that NetWalker was actively taking advantage of the COVID-19 pandemic to spread more phishing emails, increase the number of members and expand their sphere of influence. NetWalker operators require new partners to possess access rights to large networks, leading to the conclusion that NetWalker will mainly spread ransomware in one of two ways:
1. Phishing and spam email
2. Large-scale network invasion
RaaS Business Model
The Ransomware-as-a-Service (RaaS) business model adopted by NetWalker Operators is important to understand. Analysis shows that NetWalker is a group of Russian speaking operators who recruit hackers on the dark web. While the NetWalker ransomware first appeared in September 2019, one of their known recruiters, alias Bugatti, only started recruitment of other cybercriminals in March of 2020.
The following variants were generated before the publication of this article, and this is by no means a comprehensive list of the entire ransomware family.
First Generation NetWalker Variants
The first generation of the NetWalker ransomware family captured use of PowerShell reflection to load and execute dll file.
After that, it will call the export function Do, and the core ransomware is a 32-bit dll file. The actual file name was found after extraction, which is Netwalker_dll.dll. Because it is a 32-bit dll file, it cannot be injected into the 64-bit process, so it is invalid for the 64-bit process.
Second Generation NetWalker Variants
The second-generation NetWalker variant was found to have a malicious DLL for the x64 system environment added to the script, which supports running on a 64-bit system. The extracted or decrypted PE file has shown unique characteristics after injection of malicious dll in x64 system.
The original PS script of the second-generation variant of NetWalker is, in part, as follows:
A clear naming pattern can be identified after the deobfuscate process.
The script content can be viewed or analysed after obfuscate checking.
Process “explorer.exe” was injected via remote thread injection method and export function “Do” is executed. If the injection failed, the address of export function “Do” is obtained directly and function “invoke” is loaded and executed. Subsequent core components of ransomware also uses the obfuscation techniques of structure API function to call, as follows:
Similar to the first variant, a table can be exported.
The final loaded and executed DLL file is similar to the first generation, which will not be analysed again.
Third Generation NetWalker Variants
The third-generation variant uses variable name obfuscation, which increases analysis difficulties. It also adapts process injection to inject into the explorer.exe process. However, the malicious dll is a binary file without MZ header. This is a technique used to escape internal forensic tools and perform a quick check on the executable file that was injected by the process.
Part of the result after the deobfuscation process is shown below, where the variant has obfuscated the variable names, with the previous MZ header replaced with 0xad, 0xde.
There is no export table on the x86 version of the dll ransomware file, as follows (the beginning of the file has been modified to “MZ”).
The compilation time is 2nd May, as follows.
Subsequent execution can be performed directly at the entry point of the dll without the need of calling the function Do, as follows:
There is no export table on the x64 version dll ransomware file either, as follows:
Same as above. Subsequent execution can be performed directly at the entry point of the dll without the need of calling function Do, as follows: