Ransomware Profile: NetWalker

NetWalker is a type of ransomware that was first detected in August 2019. It has gone through a number of iterations since then, evolving into a sophisticated ransomware-as-a-service (RaaS) that has earned tens of millions of dollars for the NetWalker team and their affiliates.

What is NetWalker?

NetWalker, formerly known as Mailto, is a sophisticated ransomware family that encrypts a target’s data using Salsa20 encryption and demands a ransom to recover files. It tends to target high-value entities such as hospitals, universities, enterprises and government agencies.

As a human-operated ransomware, NetWalker operators often spend a significant amount of time establishing a foothold in the target environment after the initial compromise. Harvesting credentials, spreading laterally and exfiltrating data before deploying the ransomware payload enables operators to maximize the impact and profitability of an attack. Like some other ransomware groups, the threat actors behind NetWalker threaten to publish or sell stolen data on their leak site if victims refuse to pay the ransom.

NetWalker operates under the RaaS model, whereby vetted affiliates can distribute the ransomware and collect a cut of the ransom payments. Affiliates allegedly earn up to 80 percent of ransom payments, with the remaining 20 percent going to the NetWalker group.

The history of NetWalker

NetWalker was discovered in August 2019. It was initially referred to as “Mailto” because of the .mailto extension it appended to encrypted files, but analysis of the ransomware’s decryptor indicated that “NetWalker” was the developer’s intended name for the malware.

Over the next few months, NetWalker gained the attention of the cybersecurity world with several high-profile attacks on major organizations such as Spanish hospital Torrejón and Australian logistics company Toll Group.

The NetWalker affiliate program was introduced in March 2020. Representatives of the NetWalker team began advertising their program and recruiting affiliates on DarkWeb forums, with the aim of scaling up operations. In contrast to some ransomware groups that welcome mass distribution methods, the NetWalker team expressly sought to hire only technically adept, Russian-speaking affiliates with proven network intrusion experience.

Toward the end of March 2020, we saw a dramatic spike in NetWalker activity as affiliates took advantage of the COVID-19 crisis to lure in unsuspecting victims. NetWalker operators distributed pandemic-related phishing emails that contained a visual basic scripting attachment, which triggered the malicious payload when opened.

In July 2020, the FBI released an alert warning of a rise in NetWalker attacks on government organizations, education entities, private companies, and health agencies.

In August 2020, an analysis of bitcoin addresses linked to NetWalker indicated that the previous five months had been extremely profitable for the ransomware group. Between 1 March and 27 July 2020, the NetWalker ransomware gang made more than $25 million in ransom payments.

NetWalker ransom note

After encrypting the target system, NetWalker drops a ransom note on the desktop and within infected directories.

In early NetWalker incidents, the ransom note instructed victims to contact attackers directly via email.

However, after NetWalker shifted to RaaS in March 2020, we saw some significant changes to the communication instructions provided in the ransom note. Instead of email, the victim is now instructed to contact attackers through the NetWalker Tor page, where they can enter a personal code included in the ransom note. The victim is then directed to a live chat with NetWalker technical support, where payment negotiations can be made.

Who does NetWalker target?

NetWalker targets entities in both the private and public sectors. Government organizations, educational institutions, healthcare providers and enterprises across a wide range of verticals have been impacted by NetWalker.

The NetWalker group prohibits affiliates from targeting Russia and members of the Commonwealth of Independent States.

How does NetWalker spread?

We have seen NetWalker affiliates use a variety of methods to distribute ransomware. However, current campaigns primarily focus on exploiting VPN appliances and software vulnerabilities. Below is a list of techniques NetWalker operators have used or are currently using to gain initial access to a target network.

• Software exploits: NetWalker includes tools that look for and exploit known vulnerabilities in outdated server software, such as Oracle WebLogic and Apache Tomcat. There have also been instances of attackers exploiting web apps such as Telerik UI.
• VPN appliances: NetWalker operators attempt to gain an initial foothold in the network by exploiting known vulnerabilities in VPN appliances such as Pulse Secure VPN.
• RDP: NetWalker affiliates attempt to gain access to corporate networks via poorly secured RDP connections. Brute-force tools such as NLBrute can be used to breach the perimeter and help attackers move laterally after compromising a network.
• Phishing: While NetWalker operators currently tend to favor network infiltration, in the past they have used phishing campaigns to distribute the ransomware. Threat actors took advantage of the COVID-19 crisis to send pandemic-related phishing emails to healthcare personnel. The emails included a visual basic script attachment, which executed a malicious payload upon execution.

After infiltrating a network, NetWalker operators use a variety of commonly available tools to harvest credentials, move laterally across the network and exfiltrate data. The ransomware payload is typically delivered via a PowerShell script embedded within the NewWalker ransomware executable. In some cases, the PowerShell script can be executed directly in memory via reflective dynamic-link library (DLL) injection instead of storing it on disk, which helps it evade detection and maintain persistence.

Major NetWalker attacks

Toll Group

Australian transportation and logistics company Toll Group was one of the first major companies to be severely impacted by NetWalker. In late January 2020, NetWalker infected more than 1,000 of the company’s servers, forcing Toll Group to shut down multiple systems, disable several customer-facing applications and revert to manual processes. It took more than six weeks for Toll Group to bring its core services back online.

Healthcare organizations

A number of healthcare organizations in the United States suffered NetWalker infections over the course of 2020. In March, a NetWalker incident disabled the website of Champaign-Urbana Public Health District, a public-health agency in Illinois; in June, NetWalker operators exfiltrated data from Crozer-Keystone Health System, a large health care provider in Philadelphia; also in June, the data of almost 50,000 patients was stolen and encrypted during a NetWalker attack on nursing home operator Lorien Health Services.

University of California, San Francisco

In June 2020, UCSF was infected with NetWalker. The ransomware impacted a number of servers within the university’s School of Medicine, forcing security teams to quarantine several IT systems to prevent the infection from spreading. UCSF made the decision to pay $1.14 million to recover the encrypted data, noting in a press release that “The data that was encrypted is important to some of the academic work we pursue as a university serving the public good.” Within the same week as the UCSF attack, Columbia College, Chicago, and Michigan State University were also hit by NetWalker.

Trinity Metro

In July 2020, Trinity Metro, a Texas-based transit agency responsible for 8 million passenger trips annually, was hit by NetWalker, which impacted customer service and booking systems. On the NetWalker leak site, threat actors posted screenshots of hundreds of files they had stolen during the attack alongside a timer counting down the days until the information would be released. A few days later, Trinity Metro’s name was removed from the NetWalker leak site, indicating that the agency may have paid the ransom.

Authorities seize NetWalker site

In late January 2021, the U.S. Department of Justice announced a coordinated international law enforcement effort to disrupt NetWalker.

An investigation led by the FBI’s Tampa field office resulted in Canadian authorities arresting Sebastien Vachon-Desjardins, a Canadian national who allegedly stole more than $27.6 million as a NetWalker affiliate. Law enforcement also seized $454,530.19 in cryptocurrency payments made by three separate NetWalker victims.

At the same time, authorities in Bulgaria seized computers affiliated with NetWalker. The NetWalker leak site now displays a seizure banner notifying visitors that it has been seized by government agencies.

If decryption keys are discovered on the seized machines, the law enforcement action could potentially help the victims of NetWalker restore their encrypted data.

It is unclear at this stage how the seizure will impact the group’s activities in the long run. We will continue to update this page with new information as it becomes available.

How to protect the network from NetWalker and other ransomware

The following practices may help organizations reduce the risk of a NetWalker incident.

• Cybersecurity awareness training: Because the majority of ransomware spreads through user-initiated actions, organizations should implement training initiatives that focus on teaching end-users the fundamentals of cybersecurity. Ransomware and propagation methods are constantly evolving, so training must be an ongoing process to ensure end-users are across current threats.
• Credential hygiene: Practicing good credential hygiene can help prevent brute force attacks, mitigate the effects of credential theft and reduce the risk of unauthorized network access.
• Multi-factor authentication: MFA provides an extra layer of security that can help prevent unauthorized access to accounts, tools, systems and data repositories. Organizations should consider enabling MFA wherever possible.
• Security patches: Organizations of all sizes should have a robust patch management strategy that ensures security updates on all endpoints, servers, and appliances are applied as soon as possible to minimize the window of opportunity for an attack.
• Backups: Backups are one of the most effective ways of mitigating the effects of a ransomware incident. Many strains of ransomware can spread laterally across the network and encrypt locally stored backups, so organizations should use a mixture of media storage, and store backup copies both on- and off-site. See this guide for more information on creating ransomware-proof backups.
• System hardening: Hardening networks, servers, operating systems and applications is crucial for reducing the attack surface and managing potential security vulnerabilities. Disabling unneeded and potentially exploitable services such as PowerShell, RDP, Windows Script Host, Microsoft Office macros, etc. reduces the risk of initial infection while implementing the principle of least privilege can help prevent lateral movement.
• Block macros: Many ransomware families are delivered via macro-embedded Microsoft Office or PDF documents. Organizations should review their use of macros, consider blocking all macros from the Internet, and only allow vetted and approved macros to execute from trusted locations.
• Email authentication: Organizations can use a variety of email authentication techniques such as Sender Policy Framework, DomainKeys Identified Mail, and Domain-Based Message Authentication, Reporting and Conformance to detect email spoofing and identify suspicious messages.
• Network segregation: Effective network segregation helps contain incidents, prevents the spread of malware and reduces disruption to the wider business.
• Network monitoring: Organizations of all sizes must have systems in place to monitor possible data exfiltration channels and respond immediately to suspicious activity.
• Penetration testing: Penetration testing can be useful for revealing vulnerabilities in IT infrastructure and employees’ susceptibility to ransomware. Results of the test can be used to allocate IT resources and inform future cybersecurity decisions.
• Incident response plan: Organizations should have a comprehensive incident response plan in place that details exactly what to do in the event of infection. A swift response can help prevent malware from spreading, minimize disruption and ensure the incident is remediated as efficiently as possible.

How to remove NetWalker and other ransomware

NetWalker uses sophisticated encryption methods that currently make it impossible to decrypt data without paying for an attacker-supplied decryption tool.

Victims of NetWalker should be prepared to restore their systems from backups, using processes that should be defined in the organization’s incident response plan. The following actions are recommended:

• Take action to contain the threat.
• Determine the extent of the infection.
• Identify the source of the infection.
• Collect evidence.
• Restore the system from backups.
• Ensure all devices on the network are clean.
• Perform a comprehensive forensic analysis to determine the attack vector, the scope of the incident and the extent of data exfiltration.
• Identify and strengthen vulnerabilities to reduce the risk of a repeat incident.