ransomware

NetWalker Ransomware

The NetWalker ransomware first appeared in August 2019 (also known as “Mailto” at the time). The team behind operates the RaaS (ransomware as a service) business model, providing infrastructure, tools and support in exchange for membership payments.

In the past year, ransomware has become one of the most notorious ransomware series. Its target customers are organizations in the United States and Europe, including multiple healthcare organizations. The ransomware attack has been made public, even though some known threat actors have publicly stated that they will not be stunned by the wreckage of the target medical and health institution.

operators are adopting dual blackmail, which has recently become a trend among ransomware providers. The organization behind NetWalker not only requires a ransom to encrypt files, but also steals sensitive data and files from victims.

Unless a ransom is paid, the organization threatens victims by leaking stolen data. With this technology, it becomes meaningless for victims to back up their data to protect against the effects of ransomware attacks. Other ransomware organizations that use the dual ransomware paradigm include Maze , REvil, and Doppel Paymer .

The organization behind NetWalker will count down before the ransom payment deadline, while updating the blog on Darknet to post information about new victims. If the ransom is not paid after the deadline, the stolen data will be posted on this blog.

netwalker ransom

NetWalker’s goals cover a wide range of industries, including educational institutions, local governments, medical institutions and private sector companies. In June 2020, ransomware became the target of ransomware attacks from three universities in the United States, namely the University of California, the University of San Francisco, Michigan State University and the University of Chicago.

Last year, in Austria and Argentina, various government agencies were victims of NetWalker. The attackers behind NetWalker cannot forgive medical institutions. In fact, it was reported that 13GB of data was stolen due to NetWalker’s attack on Wilmington Surgical Associates. Other medical institutions have also become targets, including the Crozer-Keystone health system.

Other companies, such as the American auto parts distributor Name South, Pakistan’s electric power company K-Electric, and Australian transportation and logistics company Toll Group Deliverys, have also been affected.

It has been discovered that NetWalker ransomware operators use multiple methods to infect businesses and organizations. This includes vulnerabilities such as emails on COVID-19 related topics, vulnerable Remote Desktop Protocol (RDP) credentials, published web applications and unpatched VPNs.

For example, an attack launched through a VBS file attached to a email containing COVID-19 related content.

netwalker ransom

When running, this script will reduce the ransomware to “%temp%” and then run NetWalker.

IOCs

992f7298f301d36b795a8de7468821ac
e9ca5e3e3e381d7f13f20f9ef7b2cd48
1ccdf29a374e655369eb3f1ade1959ba
477d0af6a0c291f1c28ea061729cfced
45f328f6f8bd60ca36fe038caae3188f
450637ef16f6d7d4b3dfd08559e276f5
f7b11957e43d6f6f2325f2af21d37043
08fc5603be1a08f423fbafe1e2604d0e
b0a7ed2c7d13936f35062006af83a291
5ed1a1ce1b5100a0175e66d60d195163
3229e2489dde524195cf0ccbbf5f7d40
1b033111b8923c12f1d84e09769806f5
94aaba1df50e8150d7580e25f406fc07
8abeb5ff29edcec85afa45e3300ba769
3ddaba84ba73adc4ce294df6aee4a05c
88a0a07f4c6604dfdb172a462cf9ab48
15b774b20c3170166f9e90c3391e5604
e6611198a2f1f2c98d4e740d1f6101d9
67eac150c47f4607161460c307e3b088
4a2773e912a9f54767547a7641caa358