One of the latest ransomware spreading enmasse is Netwalker. Cybersecurity researchers have reported that Netwalker was written in C++ by a group of Russian-speaking hackers. It was first discovered sometime between late August and September 2019. Netwalker is also referred to as Mailto or Koko.

Netwalker compromises the network and encrypts all Windows devices connected to it using robust encryption algorithms with a near-zero probability of decryption. Netwalker operators also demand that victims pay ransoms in Bitcoin, and those ransoms are steep. If the victim balks at paying, the attackers threaten to make the stolen information public on the dark web, ratcheting up the pressure to pay.

Over the past eight months, researchers have seen Netwalker transition to a ransomware-as-a-service (RaaS) delivery model, potentially opening up the platform to an increased number of enterprising cybercriminals. Currently, Netwalker operates as a closed-access RaaS portal. Under this model, Netwalker creators provide their partners, also skilled cybercriminals, with a customizable kit that makes it easier to launch attacks. These partners are granted access to the web portal hosted on the dark web, where they can design custom versions of the ransomware.

Identification by antivirus software

The creators used a packer and a unique compression format to prevent antivirus applications from detecting Netwalker. Antivirus programs assign different names to this worm once they detect it. Below is the list of Netwalker names previously identified by various antivirus applications:

  1. Other:Malware-gen [Trj]
  2. Trojan.PowerShell.Agent.GV
  3. A Variant Of Generik.CMKGJSA
  4. HEUR:Trojan.PowerShell.Generic
  5. Trojan.Encoder.31707
  6. Win64/Filecoder.Netwalker.A
  7. PS/Netwalker.b
  8. Virus.powershell.qexvmc.1
  9. Trojan.Gen.NPE
  10. Ransom:PowerShell/NetWalker!MTB
  11. Trojan.PowerShell.Agent.GV

How Netwalker works

A ransomware analysis reveals that the primary way for Netwalker to infect your Windows-based machines is by distributing executable files (EXE) across the network.

The worm can also gain access to an individual machine and then spread to the network through phishing attacks or spam emails with an attached VBScript. The Netwalker infection can be described as taking place in stages. Below we take a closer look at the entire process.

Stage 1. Infecting computers

Netwalker infects computers by using multiple methods and entryways. Below are the most popular infection methods:

  1. Exploiting vulnerabilities in Telerik UI (CVE-2019-18935) and Pulse Secure VPN (CVE-201911510) to infiltrate business networks. If a VPN is used, the router’s browser-based interface remains accessible from the internet, thus presenting another vulnerable point.
  2. Gaining access through remote desktop applications of user accounts with weak credentials.
  3. Taking advantage of existing exploits in Oracle WebLogic and Apache Tomcat servers.

Stage 2. Distributing EXE files

Netwalker infected EXE files can have different names. File names made of random characters (usually HEX characters) and the EXE extension are popular, for example, a5df26c1.exe or qeSw.exe. However, an infected file may be in a different format, such as WTVConverter.exe.

The following processes are launched upon the execution:

  1. C:\Users\testuser\Desktop\a5df26c1.exe
  2. C:\Windows\system32\explorer.exe
  3. C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
  4. \??\C:\Windows\conhost.exe 0xffffffff -ForceV1
  5. C:\Windows\system32\notepad.exe "C:\Users\testuser\Desktop\A8DCE-Readme.txt"

As you can see, once Netwalker runs its EXE file, it deletes the shadow volume copies in silent mode to prevent the user from using built-in Windows recovery tools. Then conhost.exe connects to the Windows console application, -ForceV1, requesting the information directly from the OS kernel.

Notepad is then used to write a readme file with ransomware instructions in various folders. A command to delete the shadow copies is executed using the original Explorer and the injected Explorer processes. In light of the above, machine/network users need to pay special attention to Explorer processes.

Stage 3. Injecting Netwalker in Windows Explorer

One of techniques used to inject the Netwalker payload into explorer.exe of the attacked OS is called Process Hollowing. It occurs when Netwalker creates a new explorer.exe process in a suspended state, then unmaps the process memory and replaces the actual process with the ransomware code.

Once the malicious code injection has taken place, a new instance of the explorer.exe process that looks legitimate is spawned, and the original ransomware process is then killed. These tactics prevent a regular user from identifying the Netwalker process in Task Manager and Process Explorer.

One of the methods to determine whether the attackers have succeeded in injecting the Netwalker payload is checking for the presence of an unusual path belonging to the modified explorer.exe process. Such a modified process would be running as C:\Windows\SysWOW64\explorer.exe while the legitimate explorer.exe process must run as C:\Windows\explorer.exe. This change of path occurs if the executable file of Netwalker is 32-bit. A 32-bit version of Explorer in a 64-bit system runs in the SysWOW64 folder.

Stage 4. Adding parameters in Windows Registry

Once the above-outlined steps have been completed and the original executable file of Netwalker deleted, a new executable file is then created in ...\AppData\Roaming\ in the user folder.

For example:

  1. C:\Users\testuser\AppData\Roaming\a5df26c1\a5df26c1.exe

There are several reasons for the malware to be placed in this particular folder. The AppData folder has hidden attributes and is not visible to users who have not configured their system to display all files in Windows Explorer. Regular users normally do not have administrator permissions to write files in the AppData folder. They can only write and execute files in this folder.

Netwalker creates new entries in the Windows registry to be invoked every time the infected computer boots.

  1. HKLM\Software\Microsoft\Windows\CurrentVersion\Run\a5df26c1
  2. HKLM\Software\a5df26c1\a5df26c1

After adding the keys to the Registry, Netwalker will run every time Windows starts.

Stage 5. Spreading ransomware across the attacked network

Once the target organization’s network has been infiltrated, and at least one of the machines has been compromised, the attackers use a set of tools to gain lateral access to other computers on the network. User accounts with weak passwords, especially those with permissions for RDP access, and unpatched vulnerabilities serve as the gateways for escalating the attack.

One of the main targets during attacks is the Active Directory Domain Controller. There is evidence that Netwalker creates a Domain Admin account with the SQLSVC user name and gives it the password Br4pbr4p. The attackers then use the Domain Controller to execute Netwalker scripts on every reachable machine to replicate itself; for example, using psexec tool and certutil:

  1. psexec.exe \\host_name -d -c -f c:\programdata\rundl1.exe

This command copies the payload across the entire network. If an earlier version is found, it is overwritten and run in stealth mode, without notifications or user input.

Stage 6. Encrypting files

Specific extensions are defined in the embedded configuration file, and Netwalker will try to encrypt files with these extensions across local drives, accessible network shares as well as ‘hidden’ shares such as Admin$. It also defines the paths to be excluded from the encryption to maintain Windows OS functionality throughout the encryption process and, afterward, to demand the user to pay the ransom.

Stage 7. Displaying a ransom note

A ransom note is usually created as a text file located in the directories that contain the encrypted files.

Here are some of the email addresses used to send ransom notes to victims of Netwalker:

  1. Hariliuios@tutanota.com,
  2. 2Hamlampampom@cock.li,
  3. Galgalgalgalk@tutanota.com,
  4. kkeessnnkkaa@cock.li,
  5. hhaaxxhhaaxx@tuta.io,
  6. sevenoneone@cock.li,
  7. kavariusing@tutanota.com.

In later modifications of Netwalker, instead of sending emails, the note urges the victim to visit a webchat (some_hash_string.onion) located on the Tor network and insert the unique code in the appropriate field of the web interface.

What if you’re infected: The to-do checklist

  1. Disconnect all infected computers from the network immediately. If the computer is connected to the network via an Ethernet connection, physically unplug the cable. Suppose the infected computer is connected to a Wi-Fi network. In that case, you need to power off the access point because the network management function may not work correctly on the infected computer.
  2. Power off all infected computers. Consider shutting down all machines because they might be already infected, but their files may not have been encrypted yet.
  3. Do NOT pay the ransom! Doing so perpetuates ransomware attacks! Besides, there is no guarantee that your files will be recovered. Remember that ransomware gangs attack hospitals, power plants and other critical infrastructure. The operation of these organizations is essential to society’s functioning, and any interruption may cause human deaths. Don’t sponsor criminals!
  4. Prepare a rescue medium, either a DVD or a USB flash drive, or write a bootable image to an SD card as an alternative. This media must be read-only to avoid infection when it is inserted into the infected computer.
  5. Boot from the rescue medium and remove the ransomware. You can pack Netwalker files into an archive protected with a password and send it to a digital lab specializing in ransomware analysis.
  6. Create an image of the disks containing encrypted/corrupted files, and save the image to an external disk. You may need it later for further analysis and data recovery.
  7. Take steps to recover deleted files by using software for the recovery of deleted files. You might be able to recover some files if the disk has not been overwritten or erased by the ransomware writing zeroes or random bits. Copy the recovered files to an external disk.

If you have a backup, recover the data from that backup. Make sure that you have deleted harmful files and your computers are no longer infected before starting the recovery. Consider erasing the infected disks and starting full recovery because viruses can leave behind security holes or other backdoor exploits that can be activated later.

Change passwords on each affected computer. In the aftermath of an attack, we recommend changing all other passwords in your organization, including passwords for wireless networks and email accounts, etc.

Inform the authorities about the Netwalker ransomware attacks against you and your company.

How to prevent ransomware attacks

The most effective strategy to prevent Netwalker ransomware attacks is twofold: having a security policy in place and performing scheduled data backups.

Your organization should enforce data backup and security policies equally. Keep in mind that even if you had your data backed up before a Netwalker attack and were able to recover it, the attackers can still leak private data that was stolen before it was encrypted by Netwalker. That’s why you should implement security measures to thwart potential attacks. 

NAKIVO Backup and Replication is a universal data protection solution that can help recover data stored in VMware VMs, Hyper-V VMs, Amazon EC2 instances, physical Linux and Windows machines, Oracle databases and Microsoft 365. The NAKIVO solution can back up data to local backup repositories, tape and cloud, including Amazon S3 buckets.