Netwalker is a type of ransomware that targets Windows-based systems. First discovered in August 2019, it has evolved throughout the rest of 2019 and into 2020. The FBI noted significant spikes in NetWalker targeted attacks during the height of the Covid-19 pandemic.
What is NetWalker?
Formerly called Mailto, NetWalker is a sophisticated type of ransomware that makes all critical files, applications, and databases inaccessible via encryption.
The group behind the attack demands payment in cryptocurrency in exchange for data recovery and threatens to publish the victim’s sensitive data in an “escape portal” if the ransoms are not paid.
Such cybercriminals are also known to launch targeted campaigns against large organizations, mainly using phishing techniques sent to various access points in order to infiltrate networks.
How NetWalker works
Some malicious e-mail samples used the COVID-19 trick as bait to trick victims into clicking malicious links or downloading infected files.
Once a computer is infected, the malware starts spreading and compromises all connected Windows devices.
In addition to spreading via spam emails, this ransomware can also disguise itself as a popular password manager app.
As soon as users run the bogus version of the app, their files will be encrypted.
Like Dharma, Sodinokibi (aka REvil), and other nefarious variants of ransomware, NetWalker operators use the Ransomware-as-a-Service (RaaS) model.
How NetWalker uses the RaaS model
The NetWalker group has actively recruited “affiliates” on dark web forums, offering the tools and infrastructure to cybercriminals who have previous experience infiltrating large networks.
According to a McAfee report, the group seeks Russian-speaking partners and those who already have a foothold in a potential victim’s network.
They privilege quality over quantity and have only limited space for partners.
They stop recruiting once those slots have been filled and resume re-advertising recruiting via forums only once a slot opens.
How has the ransom note evolved?
Previous versions of the NetWalker ransom note, just like most other ransom notes, had a “contact us” section that used anonymous email account services.
The victims would then contact the group and facilitate payment through this ploy.
The much more sophisticated version the group has been using since March 2020 has ditched email and replaced it with a system that uses the NetWalker Tor interface.
Users are prompted to download and install Tor Browser and are provided with a personal code.
After submitting the key via the online form, the victim will be redirected to a chat messenger to speak to NetWalker “technical support”.
How do you pay for NetWalker?
The NetWalker system is organized in a very similar way to the companies they target.
They even issue a detailed invoice that includes the status of the account, ie “pending payment”, the amount to be paid and the time left to pay it.
According to reports, victims are given a week to pay, after which the price for decryption doubles, or sensitive data is leaked due to non-payment before the deadline.
Once the payment is made, the victim is directed to a download page for the decryptor program.
The decryptor program is designed to decrypt only the files of the specific user who made the payment.
This is why each victim is assigned a unique key.
How to protect your data from NetWalker attacks
The first tip is always the same: be wary of emails and messages that require you to click on links or download files.
Instead of clicking on the link right away, hover over it to see the full URL that should appear at the bottom of your browser.
It is important not to click on any email link until you are sure it is genuine, which could mean contacting the sender on a separate system to verify.
You should also avoid downloading fake apps.
Making sure you have a reputable antivirus and anti-malware installed regularly updated is a must, as they can often spot phishing links in emails.
Install software patches now as they are designed to fix vulnerabilities frequently exploited by cybercriminals.
You must also protect network access points with strong passwords and use multi-factor authentication (MFA) to protect access to the network, other computers, and services in your organization.
Regular backups are also a good idea.