by Gustav Elkjær Rødsgaard, Junior Security Analyst

In 2019 Netwalker, a type of ransomware that is Window’s specific and encrypts and exfiltrates all the data it breaches, was created by a cybercrime group called Circus Spider. Since then, this type of ransomware has been specifically targeting Health Care Organizations finding success being distributed either by phishing or a VBScript.

During the pandemic, NetWalker affiliates have been consistently active. A particularly vulnerable time for most has been particularly lucrative for them. Between March and September 2020, CISA estimated they had collected US$25million from ransoms. So, what do we know about Netwalker, what are the tactics, where did it originate, and how do you protect yourself and your organization?

History of NetWalker

An excellent place to start is a brief history lesson. NetWalker, first known as Mailto, is ransomware, created by the cybercrime group known as Circus Spider. Initially discovered in September 2019, NetWalker is operated with the RaaS model and has a compilation timestamp dating back to August 28, 2019.

Over its lifetime, NetWalker has primarily targeted Health Care Organizations while taking advantage of the Covid-19 pandemic with affiliates operating as ‘Big Game Hunters,’ targeting larger organizations, and distributed via (Spear)Phishing. Other industries such as manufacturing, business management solutions, customer experience management, electromobility, battery solutions, and education have also been targeted with less success.

NetWalker uses a close-affiliated program where applicants are verified before they are accepted. The affiliates’ ransomware demands have ranged from US$1,000 to $3,000,000 and practice double extortion tactics whereby the affiliates extort money for unencrypting files and for not leaking the exfiltrated data.

The tactics & techniques used by NetWalker affiliates to spread NetWalker Ransomware

The NetWalker ransomware aims to exfiltrate data, eliminate backups, encrypt an organization’s data and expose data by providing proof via the TOR network (a way to maintain anonymity) of exfiltrated data and, in the end, extort the organization.

Common TTPs are T1059.001 Command and Scripting Interpreter: PowerShell –  NetWalker is written in PowerShell and executed directly in memory to avoid detection. They also use the technique T1047 Windows Management Instrumentation to delete shadow volumes. For the complete list of TTPs used by NetWalker, check this link on MITRE.

As we previously mentioned, one of the main targets was Health Care Organizations. The NetWalker ransomware was, and is,  commonly spread in two ways. One is via VBScript, attached to Coronavirus phishing emails. This method executes the payload of the ransomware when double-clicked or when opening documents containing the VBScript. Another common way NetWalker ransomware is spread is through an executable file spread on the networkCommon tools used by NetWalker Affiliates are Mimikatz, PSTools, AnyDesk, TeamViewer, and NLBrute.

The initial access mechanism for Netwalker ransomware contains shared code from Neshta, poison, BazarBackdoor, XMRig and a large part of Cobalt Strike, according to Intezer.

Lorien Health Services unable to defend against NetWalker Ransomware

One of the most damaging incidents from NetWalker affiliates was the ransomware attack on Lorien Health Services, which affected approx. 50,000 people. Personal information and data were accessed by the affiliates and may have included residents’ names, Social Security numbers, dates of birth, addresses, and health diagnosis and treatment information. Furthermore, employee data was also accessed.

In the end, NetWalker leaked Lorien’s data. The FBI issued a flash alert to warn about NetWalker ransomware attacks on July 28, 2020. The FBI alert stated that they had received notifications of NetWalker attacks on the U.S. and foreign government organizations, education entities, private companies, and health agencies. It also stated that NetWalker became widely recognized in March 2020 after intrusions on an Australian transportations and logistics company and a U.S. public health organization. Since then, NetWalker has taken advantage of the Covid-19 pandemic to compromise an increasing number of victims and health care organizations.

What to do as an organization to protect yourself from NetWalker ransomware

With the Covid-19 pandemic still going on, it is advised to be aware that the NetWalker affiliates have ongoing campaigns containing their ransomware in phishing emails. Educating your organization on the common traits of phishing emails will help to protect your organization.

NetWalker affiliates take advantage of vulnerabilities. You can protect your organization in the following ways:

  • Make sure that your backups for critical data are working and being stored offline
  • Make sure that backups cannot be modified and deleted
  • Using two-factor authentication
  • Keeping your anti-virus and anti-malware updated to the latest version
  • Using secure connections, such as a VPN
  • Keeping your devices and software applications up to date

With Logpoint, you can implement the alerts presented in this blog post for further protection against NetWalker. They can be run if you suspect that you may have been a victim of a vulnerability or phishing campaign related to NetWalker.

Detecting NetWalker with Logpoint

Look at the information below to give you some idea of how Logpoint can help protect your company’s information and data.

Log Sources: Windows Sysmon, Windows server logs.

NetWalker adds Windows registry keys for persistence in the target systems. With Sysmon logs, you can monitor modifications to the Windows registry.

Search Query:

norm_id = WindowsSysmon label = Registry target_object = 
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*"  | process
 regex("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\(?P[
a-zA-Z0-9]{8})$", target_object) | chart count() by log_ts, user, host, target_object,
 EightString, detail

NetWalker affiliates also have been observed to use vssadmin to delete shadow copies. With Windows server logs, you can make an alert to detect usage of vssadmin.

Search Query: Possible Ransomware Deletion Volume Shadow Copies Detected:

norm_id=WindowsSysmon event_id=1 command IN ["*vssadmin* delete shadows*", "*wmic*
 SHADOWCOPY DELETE*"] -user IN EXCLUDED_USERS

We have also observed NetWalker affiliates executing 32-bit Explorer process in the SysWOW64 folder. You can detect process creation with Windows Sysmon, as shown below.

Search Query:

norm_id = WindowsSysmon event_id = 1 image = "*SysWOW64\explorer.exe" | chart 
count() by log_ts, event_id, host, device_ip, path, "process", parent_process

NetWalker ransomware has had many targets already, so Logpoint has made a static list of hashes used in previous NetWalker attacks. As seen below, using a static list to detect NetWalker may be done. For this Alert to work, you must have the NETWALKER_HASHES list in your Logpoint solution.

Search Query:

(hash IN NETWALKER_HASHES OR hash_sha1 IN NETWALKER_HASHES OR hash_sha256 IN 
NETWALKER_HASHES OR hash_import in NETWALKER_HASHES) | rename hash_sha1 as hash, hash_sha256 as hash,
hash_import as hash | chart count() by log_ts, device_name, host,
device_ip, hash