The operators behind NetWalker (aka Mailto) ransomware have proven time and time again that they do not hold back. In a time where even some of the most active ransomware-centric actors are backing off from attacking medical targets due to the COVID-19 pandemic, NetWalker ransomware continues to attack them. The ransom demands are steep and almost guarantee that the victim will choose to be uncooperative, leading to the victim’s data being leaked publicly.
In recent weeks, U.S. educational institutions have been heavily targeted with NetWalker ransomware. Michigan State University, University of California San Francisco and Columbia College of Chicago have all been hit. With the recent move to a RaaS (Ransomware-as-a-Service) model, the potential for even greater expansion is on the horizon. Consequently, detection and clean-up is no longer sufficient to ensure organizational data remains confidential and secure. Prevention is the only the cure for threats like NetWalker, which hit organizations with the double-edged sword of encryption by ransomware and extortion via threats of public data exposure.
NetWalker: A Brief Chronology
NetWalker appeared on the scene in mid-2019. Similar to other well-supported ransomware families, the operators target high-value, global, entities. The group’s targets range across multiple industries and span the education, medical, and Government sectors.
As we have seen with Maze, Ragnar, REvil and others, NetWalker harvests data from its targets and is used by the operators as leverage via threats to post or release the data in the event that the target does not comply with their demands. To date, stolen data belonging to twelve different NetWalker victims has been publicly posted. The attackers behind NetWalker campaigns are known to use common utilities, post-exploit toolkits and Living-off-the-Land (LOTL) tactics to explore a compromised environment and siphon off as much data as possible. These tools can include mimikatz (and variations thereof), various PSTools, AnyDesk, TeamViewer, NLBrute and more.
Over the last few months, we have seen NetWalker transition to a RaaS (Ransomware as a Service) delivery model, which will potentially open up the platform to an increased number of enterprising criminals. More recently, we have observed NetWalker spam campaigns using COVID-19-related lures to entice victims into initiating infection.
NetWalker Affiliates Preconditions
For would-be criminals responding to NetWalker advertisements, the ‘affiliate partner’ details the screening process which is a prerequisite to becoming a NetWalker affiliate. Initially, the affiliate will request the following information from the potential client:
- What your general targets of interest are
- A list of your experience and supporting proof
- Proof of persistent access to high-value targets, and some indication around your ‘intentions’
Further screening criteria also includes:
- Must NOT be an English speaker
- Must have persistent and broad access to high-value targets
- Must be ready to move on infections ASAP
Recent NetWalker Attacks
There have been many high-profile attacks attributed to NetWalker in the last several months. In March 2020, multiple hospitals in Spain were targeted. In those specific attacks, victims were enticed with ‘updated information on COVID-19’ via attached PDF files. These PDFs were weaponized and led to the installation of the ransomware. While some ransomware operators have stated that they will hold off on attacks against medical facilities during the pandemic, NetWalker seems to be diving into it head first and even using COVID as a social engineering lure.
In February 2020 Toll Group, a Global Holdings, Shipping, and Logistics company, was hit by NetWalker causing significant outages, along with a direct affect on their customers.
In many of these recent attacks, the ransomware payload is delivered via a specially-crafted PowerShell loader, which is heavily obfuscated. By working their way into privileged access on the target environment’s domain controller, they aim to launch the specialized loader on as many hosts as accessible.
Initial delivery is primarily via email with malicious attachments, as well as trojanized applications. The actors behind NetWalker have also been known to make use of fileless delivery and execution methods, including reflective DLL injection. With the shift to a RaaS platform, there is greater emphasis on targeting environments which are already compromised or easily accessible.
Throughout the various waves, NetWalker variants all appear to extract necessary runtime data from an embedded configuration file. Target-specific data, including ransom note text, exclusion paths, included extensions, process kill list, and more is included in the embedded, and encoded, configuration data. The actors behind NetWalker also embrace sophisticated techniques to increase stealth and complicate causal analysis. This includes process hollowing, in which the malware injects itself into a legitimate process such as explorer.exe and removes the original executable. At that point, the infection is effectively hiding in the space of a legitimate process.
The exact encryption recipe can vary across variants. Specific extensions are determined in the embedded configuration file, and NetWalker will attempt to encrypt files with these extensions across local drives, accessible network shares as well as ‘hidden’ shares such as Admin$.
Generally speaking, local file encryption will be initiated via a call to GetLogicalDriveStringsW to locate ‘local’ drives or volumes. Once located, the local encryption process will begin. The malware will attempt to impersonate the context of the logged in user (current user’s token / ImpersonateLoggedOnUser) along with calls to WNetUseConnectionA and WnetAddConnection2w for network and adjacent volume encryption. GetNetShares is often called to assist in locating hidden or administrative shares (admin$ / IPC$). Individual file encryption is typically handled via a ChaCha stream cipher. We have also observed the use of Salsa20, which is closely related; both methodologies appear to have been developed by the same individual.
NetWalker is very careful to ensure the availability of any data/files targeted for either encryption or exfiltration. Each configuration file contains a list of processes to discover and kill so as to not interfere with data collection or file encryption. The configuration file lists both services and processes to kill prior to the malware’s main tasks.
Similar precautions are taken with regards to any running task which may interfere with the operations of the malware.
The NetWalker configuration file also contains a base64-encoded copy of the ransom note. Quite often this includes the targeted company name and other related data. The encoded string is assigned in the ‘lend’ value of the configuration file.
Current NetWalker configuration files may contain any or all of the following fields:
- lfile – Ransom note name/formatting
- spsz – Assigned encryption chunk size parameters
- lend – B64 encoded ransomware note string
- namesz – randomly assigned name length
- thr – Assigned number of threads for encryption operations
- mpk – public key
- unlocker – exclusion list during decryption
- idsz – randomly assigned ID length
- mode – Encryption Mode
- net – toggles for encryption of network resources
- kill – list of processes, tasks, and service names to terminate
- white – Whitelist / Exclusion list for encryption
- onion2 – Payment / Blog URL 2
- onion1 – Payment / Blog URL 1
Naming and persistence are also dictated via the configuration file. The random file name is pulled from the ‘namesz’ value in the configuration file. The executable will typically be dropped in
Program Files (x86)randomnamerandomname.exe or
Program Filesrandomnamerandomname.exe depending on architecture.
If the malware does not have administrative privileges, it will deposit itself in the respective user’s
AppDataRoaming path. Persistence is set via the registry via
HKCUSoftwareMicrosoftWindowsCurrentversionRun. The malware also stores an encoded data blob in
HKCUSoftware(Random name). This data is called upon for various encryption and decryption tasks.
NetWalker also attempts to inhibit system recovery via deletion of Volume Shadow Copies. The command syntax used is:
Vssadmin.exe delete shadows /all /quiet
Victim Data Leakage
Earlier this year, NetWalker began publishing victim data to a public blog (accessible via TOR). Similar to Maze, DoppelPaymer, REvil, Ragnar and others, they list ‘non-compliant’ victims along with download links to the leaked data. For those victims that still have time, a countdown clock indicates how much time is left before the actors start leaking files. Based on the advertisements for the RaaS versions of NetWalker, this ‘feature’ is fully automated for their affiliates.
To date, there are eleven companies listed on the NetWalker blog site. The most targeted industries are Financial Services and Education. They, by no means, are focused only on those verticals. Companies tied to Health Care, Oil & Energy, Retail Services, Media & Advertising, and Government entities are all represented. It is important to note that not all of the links to the dumped data are functional. The providers (ex: Mega, DropMeFiles) appear to have taken action on some of them. With that being said, the NetWalker blog does currently host just under 11GB of stolen company data, with an ongoing promise to release more. Some of that amount consists only of ‘preview’ data, which they threaten to expand on in the coming weeks and months.
NetWalker is just one of several families that have fully embraced this ‘double attack’ scenario. Simply cleaning up after the ransomware is no longer sufficient. Even when eradicating the attackers from your environment, the issue of publicly leaked data still looms large. Prevention, in these attacks, is absolutely critical. Stopping the attackers before they gain any traction is the most effective way to protect you and your sensitive data. SentinelOne’s Endpoint Protection and Singularity platform are the most robust and powerful tools at the disposal of today’s defenders.
Indicators of Compromise