Threat Database Ransomware Netwalker Ransomware

Netwalker Ransomware

By GoldSparrow in Ransomware

The Netwalker Ransomware is among the newest uncovered ransomware threats. This file-locking Trojan is a variant of a threat that was first spotted in 2019 called Mailto Ransomware. The operators of the Netwalker Ransomware are using the Coronavirus (COVID-19) outbreak to propagate this nasty Trojan. However, this is not a new trick as countless cybercriminals from all around the world are using the pandemic to trick and scam users. Most of the threats that use the Coronavirus crisis tend to be propagated via spam emails.

Propagation and Encryption

The Netwalker Ransomware appears to be utilizing spam emails that claim to host an important document that needs to be review urgently. The name of the attached file is 'CORONAVIRUS_COVID-19.vbs.' This is a Visual Basic Script file that is designed to look like a genuine, harmless document file. IF the targeted user opens the malicious VBS file, they will trigger the execution of the Netwalker Ransomware. Once the Netwalker Ransomware is executed successfully, it will begin the encryption process. This means that all the data present on the user's system - documents, images, presentations, databases, archives, audio files, spreadsheets, videos, etc. - will be locked with the help of an encryption algorithm. After the encryption process has been concluded, the affected files will no longer be usable. Most ransomware threats tend to append a fixed extension to all the locked files. However, the Netwalker Ransomware takes a different approach. This data-encrypting Trojan generates a unique extension for every victim. According to researchers, in the case of the Netwalker Ransomware, there are no limitations characters-wise when it comes to generating an extension. This means that the Netwalker Ransomware may create a '.bRAf7k' extension. This means that a file you had named 'plush-blanket.jpg' will be renamed to 'plush-blanket.jpg.bRAf7k.'

This Week in Malware Ep 5: NetWalker Ransomware

The Ransom Note

The Netwalker Ransomware will drop a ransom note on the users' computer to let them know what has happened to their systems. The name of the ransom note follows the pattern '<extension>-Readme.txt.' If we use the example from earlier, the name of the ransom note would be 'bRAf7k-Readme.txt.' In the ransom message, the attackers state that there is no way out of this situation unless the victim decides to pay the ransom fee demanded. There is no mention of a specific ransom fee, so it is likely that the sum will be calculated individually for each victim. The authors of the Netwalker Ransomware ask the user to download and install the Tor browser in order to access their site, which contains further information and instructions.

We live in uncertain and scary times, to say the least. With the threat of coronavirus fresh in everyone’s mind, it’s hardly surprising to learn that many cyber threat actors are using coronavirus to push their viruses and ransomware.

One such coronavirus-related phishing attack leads to the installation of the Netwalker Ransomware, which is attached to emails in a malicious attachment.

The Netwalker ransomware used to known by the name Mailto. Netwalker attacks have become more frequent recently, with attackers aiming at governments and business entities in particular. Two of the most well-known Netwalker related attacks were the attacks against the Toll Group and Champaign Urbana Public Health District in Illinois.

Netwalker is now spreading through a phishing campaign that uses an email attachment called "CORONAVIRUS_COVID-19.vbs. The attachment contains the Netwalker executable file along with obfuscated code that extracts and launches the executable on a target computer.

One problem with Netwalker is that it can be challenging to detect. The ransomware hides by not terminating the Fortinet endpoint protection client. The ransomware disables antivirus protection through the admin panel, but it doesn’t terminate clients, which would be considered suspicious behavior.

Victims find the following ransom note in folders with encrypted files as well as on the desktop:

Your files are encrypted.
All encrypted files for this computer has extension: .1401

If for some reason you read this text before the encryption ended,
this can be understood by the fact that the computer slows down,
and your heart rate has increased due to the ability to turn it off,
then we recommend that you move away from the computer and accept that you have been compromised,
rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you,
it could be files on the network belonging to other users, sure you want to take that responsibility?

Our encryption algorithms are very strong and your files are very well protected, you can’t hope to recover them without our help.
The only way to get your files back is to cooperate with us and get the decrypter program.
Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover.
We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned.
For us this is just business and to prove to you our seriousness, we will decrypt you some files for free,
but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.
Сontact us:
Don’t forget to include your code in the email:

Unfortunately, there are currently no known weaknesses in the ransomware. It is proving difficult for security researchers to create a public decryption tool. In any event, victims are always urged not to pay the ransom demand. There is no guarantee that the hackers will restore the files as they promise, or that the computer won’t get infected again in the future.

Coronavirus Attacks On the Rise

Threat actors have taken to using coronavirus as part of their phishing attacks in a trend that shows no sign of slowing down. There have been plenty of examples of this in practice, including TrickBot using text from news stories to avoid detection and several new ransomware threats named after the virus itself.

The increase in coronavirus threats has led the US Cybersecurity and Infrastructure Security Agency (CISA) to issue warnings over coronavirus-themed scams. The World Health Organization has issued warnings about hackers pretending to be the WHO as part of their attacks.

With threat actors taking advantage of significant news like this, everyone should be more vigilant when it comes to suspicious emails and programs downloaded from unknown sources. There’s no telling where a virus is hiding. Stick to official information from official sources.


Most Viewed