NetWalker Ransomware: No Respite, No English Required

The operators behind NetWalker (aka Mailto) ransomware have proven time and time again that they do not hold back. In a time where even some of the most active ransomware-centric actors are backing off from attacking medical targets due to the COVID-19 pandemic, NetWalker ransomware continues to attack them. The ransom demands are steep and almost guarantee that the victim will choose to be uncooperative, leading to the victim’s data being leaked publicly.

In recent weeks, U.S. educational institutions have been heavily targeted with NetWalker ransomware. Michigan State University, University of California San Francisco and Columbia College of Chicago have all been hit. With the recent move to a RaaS (Ransomware-as-a-Service) model, the potential for even greater expansion is on the horizon. Consequently, detection and clean-up is no longer sufficient to ensure organizational data remains confidential and secure. Prevention is the only the cure for threats like NetWalker, which hit organizations with the double-edged sword of encryption by ransomware and extortion via threats of public data exposure.

NetWalker: A Brief Chronology

NetWalker appeared on the scene in mid-2019. Similar to other well-supported ransomware families, the operators target high-value, global, entities. The group’s targets range across multiple industries and span the education, medical, and Government sectors.

As we have seen with Maze, Ragnar, REvil and others, NetWalker harvests data from its targets and is used by the operators as leverage via threats to post or release the data in the event that the target does not comply with their demands. To date, stolen data belonging to twelve different NetWalker victims has been publicly posted. The attackers behind NetWalker campaigns are known to use common utilities, post-exploit toolkits and Living-off-the-Land (LOTL) tactics to explore a compromised environment and siphon off as much data as possible. These tools can include mimikatz (and variations thereof), various PSTools, AnyDesk, TeamViewer, NLBrute and more.

Over the last few months, we have seen NetWalker transition to a RaaS (Ransomware as a Service) delivery model, which will potentially open up the platform to an increased number of enterprising criminals. More recently, we have observed NetWalker spam campaigns using COVID-19-related lures to entice victims into initiating infection. 

NetWalker Affiliates Preconditions

For would-be criminals responding to NetWalker advertisements, the ‘affiliate partner’ details the screening process which is a prerequisite to becoming a NetWalker affiliate. Initially, the affiliate will request the following information from the potential client:

  1. What your general targets of interest are
  2. A list of your experience and supporting proof
  3. Proof of persistent access to high-value targets, and some indication around your ‘intentions’

Further screening criteria also includes:

  1. Must NOT be an English speaker
  2. Must have persistent and broad access to high-value targets
  3. Must be ready to move on infections ASAP

  • Vendors offering NetWalker RaaS access currently tout the following feature set:
  • Fully Automated TOR-based chat panel
  • Support for Windows 2000 and above
  • Full visibility into potential target environments
  • Fast & multi-threaded locker
  • Highly flexible configuration options
  • Encrypts adjacent network volumes
  • Unique build and obfuscation process
  • Automated blog for victim data posting
  • Recent NetWalker Attacks

    There have been many high-profile attacks attributed to NetWalker in the last several months. In March 2020, multiple hospitals in Spain were targeted. In those specific attacks, victims were enticed with ‘updated information on COVID-19’ via attached PDF files. These PDFs were weaponized and led to the installation of the ransomware. While some ransomware operators have stated that they will hold off on attacks against medical facilities during the pandemic, NetWalker seems to be diving into it head first and even using COVID as a social engineering lure.

    In February 2020 Toll Group, a Global Holdings, Shipping, and Logistics company, was hit by NetWalker causing significant outages, along with a direct affect on their customers.

    In many of these recent attacks, the ransomware payload is delivered via a specially-crafted PowerShell loader, which is heavily obfuscated. By working their way into privileged access on the target environment’s domain controller, they aim to launch the specialized loader on as many hosts as accessible.

    Technical Data

    Initial delivery is primarily via email with malicious attachments, as well as trojanized applications. The actors behind NetWalker have also been known to make use of fileless delivery and execution methods, including reflective DLL injection. With the shift to a RaaS platform, there is greater emphasis on targeting environments which are already compromised or easily accessible. 

    Throughout the various waves, NetWalker variants all appear to extract necessary runtime data from an embedded configuration file. Target-specific data, including ransom note text, exclusion paths, included extensions, process kill list, and more is included in the embedded, and encoded, configuration data. The actors behind NetWalker also embrace sophisticated techniques to increase stealth and complicate causal analysis. This includes process hollowing, in which the malware injects itself into a legitimate process such as explorer.exe and removes the original executable. At that point, the infection is effectively hiding in the space of a legitimate process.

    The exact encryption recipe can vary across variants. Specific extensions are determined in the embedded configuration file, and NetWalker will attempt to encrypt files with these extensions across local drives, accessible network shares as well as ‘hidden’ shares such as Admin$. 

    Generally speaking, local file encryption will be initiated via a call to GetLogicalDriveStringsW to locate ‘local’ drives or volumes. Once located, the local encryption process will begin. The malware will attempt to impersonate the context of the logged in user (current user’s token / ImpersonateLoggedOnUser) along with calls to WNetUseConnectionA and WnetAddConnection2w for network and adjacent volume encryption. GetNetShares is often called to assist in locating hidden or administrative shares (admin$ / IPC$). Individual file encryption is typically handled via a ChaCha stream cipher. We have also observed the use of Salsa20, which is closely related; both methodologies appear to have been developed by the same individual.

    NetWalker is very careful to ensure the availability of any data/files targeted for either encryption or exfiltration. Each configuration file contains a list of processes to discover and kill so as to not interfere with data collection or file encryption. The configuration file lists both services and processes to kill prior to the malware’s main tasks.

    Similar precautions are taken with regards to any running task which may interfere with the operations of the malware.

    The NetWalker configuration file also contains a base64-encoded copy of the ransom note. Quite often this includes the targeted company name and other related data. The encoded string is assigned in the ‘lend’ value of the configuration file.

    Current NetWalker configuration files may contain any or all of the following fields:

    1. lfile – Ransom note name/formatting
    2. spsz – Assigned encryption chunk size parameters
    3. lend – B64 encoded ransomware note string
    4. namesz – randomly assigned name length
    5. thr – Assigned number of threads for encryption operations
    6. mpk – public key
    7. unlocker – exclusion list during decryption
    8. idsz – randomly assigned ID length
    9. mode – Encryption Mode
    10. net – toggles for encryption of network resources
    11. kill – list of processes, tasks, and service names to terminate
    12. white – Whitelist / Exclusion list for encryption
    13. onion2 – Payment / Blog URL 2
    14. onion1 – Payment / Blog URL 1

    Naming and persistence are also dictated via the configuration file. The random file name is pulled from the ‘namesz’ value in the configuration file. The executable will typically be dropped in Program Files (x86)randomnamerandomname.exe or Program Filesrandomnamerandomname.exe depending on architecture. 

    If the malware does not have administrative privileges, it will deposit itself in the respective user’s AppDataRoaming path. Persistence is set via the registry via HKCUSoftwareMicrosoftWindowsCurrentversionRun. The malware also stores an encoded data blob in HKCUSoftware(Random name). This data is called upon for various encryption and decryption tasks.

    NetWalker also attempts to inhibit system recovery via deletion of Volume Shadow Copies. The command syntax used is:

    Vssadmin.exe delete shadows /all /quiet

    Victim Data Leakage

    Earlier this year, NetWalker began publishing victim data to a public blog (accessible via TOR). Similar to Maze, DoppelPaymer, REvil, Ragnar and others, they list ‘non-compliant’ victims along with download links to the leaked data. For those victims that still have time, a countdown clock indicates how much time is left before the actors start leaking files. Based on the advertisements for the RaaS versions of NetWalker, this ‘feature’ is fully automated for their affiliates.

    To date, there are eleven companies listed on the NetWalker blog site. The most targeted industries are Financial Services and Education. They, by no means, are focused only on those verticals. Companies tied to Health Care, Oil & Energy, Retail Services, Media & Advertising, and Government entities are all represented. It is important to note that not all of the links to the dumped data are functional. The providers (ex: Mega, DropMeFiles) appear to have taken action on some of them. With that being said, the NetWalker blog does currently host just under 11GB of stolen company data, with an ongoing promise to release more. Some of that amount consists only of ‘preview’ data, which they threaten to expand on in the coming weeks and months.

    Conclusion

    NetWalker is just one of several families that have fully embraced this ‘double attack’ scenario. Simply cleaning up after the ransomware is no longer sufficient. Even when eradicating the attackers from your environment, the issue of publicly leaked data still looms large. Prevention, in these attacks, is absolutely critical. Stopping the attackers before they gain any traction is the most effective way to protect you and your sensitive data. SentinelOne’s Endpoint Protection and Singularity platform are the most robust and powerful tools at the disposal of today’s defenders.

    Indicators of Compromise

    SHA1

    bf38aca2c659f9eb2b2fa2fad82ccf55b496b0cb
    77676865f875eff23699189f57c37c76b92ba2b9
    8e7a5500007c1552e1231bd1157433f7ef638672
    e20a4cc7f13f517491e772ce9e5c236aad2785f0
    a2c17f04ce259125bc43c8d6227ef594df51f18a
    3d845a707f2825746637922d7dd10fab18558209
    03023d7e3a54d915cca82429dfeedb1bebd5c182
    7301382916d9f5274a4fb847579f75bc69c9c24b

    SHA256

    853fa18adc3f9263a0f98a9a257dd70d7e1aee0545ab47a114f44506482bd188
    bd3fdf1b50911d537a97cb93db13f2b4026f109ed23a393f262621faed81dae1
    868cb8251a245c416cd92fcbd3e30aa7b7ca7c271760fa120d2435fd3bf2fde9
    44b5d24e5e8fd8e8ee7141f970f76a13c89dd26c44b336dc9d6b61fda3abf335
    ce399a2d07c0851164bd8cc9e940b84b88c43ef564846ca654df4abf36c278e6
    8587037c15463d10a17094ef8fa9f608cc20c99fa0206ce496b412f8c7f4a1b8
    ac0882d87027ac22fc79cfe2d55d9a9d097d0f8eb425cf182de1b872080930ec
    346fdff8d24cbb7ebd56f60933beca37a4437b5e1eb6e64f7ab21d48c862b5b7

    MITRE ATT&CK

    T1053 – Scheduled Task
    T1060 – Registry Run Keys / Startup Folder
    T1093 – Process Hollowing
    T1471 – Data Encrypted for Impact
    T1490 – Inhibit System Recovery