Ransomware Profile: NetWalker

NetWalker is a type of ransomware that was first detected in August 2019. It has gone through a number of iterations since then, evolving into a sophisticated ransomware-as-a-service (RaaS) that has earned tens of millions of dollars for the NetWalker team and their affiliates.

What is NetWalker?

NetWalker, formerly known as Mailto, is a sophisticated ransomware family that encrypts a target’s data using Salsa20 encryption and demands a ransom to recover files. It tends to target high-value entities such as hospitals, universities, enterprises and government agencies.

As a human-operated ransomware, NetWalker operators often spend a significant amount of time establishing a foothold in the target environment after the initial compromise. Harvesting credentials, spreading laterally and exfiltrating data before deploying the ransomware payload enables operators to maximize the impact and profitability of an attack. Like some other ransomware groups, the threat actors behind NetWalker threaten to publish or sell stolen data on their leak site if victims refuse to pay the ransom.

NetWalker operates under the RaaS model, whereby vetted affiliates can distribute the ransomware and collect a cut of the ransom payments. Affiliates allegedly earn up to 80 percent of ransom payments, with the remaining 20 percent going to the NetWalker group.

The history of NetWalker

NetWalker was discovered in August 2019. It was initially referred to as “Mailto” because of the .mailto extension it appended to encrypted files, but analysis of the ransomware’s decryptor indicated that “NetWalker” was the developer’s intended name for the malware.

Over the next few months, NetWalker gained the attention of the cybersecurity world with several high-profile attacks on major organizations such as Spanish hospital Torrejón and Australian logistics company Toll Group.

The NetWalker affiliate program was introduced in March 2020. Representatives of the NetWalker team began advertising their program and recruiting affiliates on DarkWeb forums, with the aim of scaling up operations. In contrast to some ransomware groups that welcome mass distribution methods, the NetWalker team expressly sought to hire only technically adept, Russian-speaking affiliates with proven network intrusion experience.

Toward the end of March 2020, we saw a dramatic spike in NetWalker activity as affiliates took advantage of the COVID-19 crisis to lure in unsuspecting victims. NetWalker operators distributed pandemic-related phishing emails that contained a visual basic scripting attachment, which triggered the malicious payload when opened.

In July 2020, the FBI released an alert warning of a rise in NetWalker attacks on government organizations, education entities, private companies, and health agencies.

In August 2020, an analysis of bitcoin addresses linked to NetWalker indicated that the previous five months had been extremely profitable for the ransomware group. Between 1 March and 27 July 2020, the NetWalker ransomware gang made more than $25 million in ransom payments.

NetWalker ransom note

After encrypting the target system, NetWalker drops a ransom note on the desktop and within infected directories.

In early NetWalker incidents, the ransom note instructed victims to contact attackers directly via email.

However, after NetWalker shifted to RaaS in March 2020, we saw some significant changes to the communication instructions provided in the ransom note. Instead of email, the victim is now instructed to contact attackers through the NetWalker Tor page, where they can enter a personal code included in the ransom note. The victim is then directed to a live chat with NetWalker technical support, where payment negotiations can be made.

Who does NetWalker target?

NetWalker targets entities in both the private and public sectors. Government organizations, educational institutions, healthcare providers and enterprises across a wide range of verticals have been impacted by NetWalker.

The NetWalker group prohibits affiliates from targeting Russia and members of the Commonwealth of Independent States.

How does NetWalker spread?

We have seen NetWalker affiliates use a variety of methods to distribute ransomware. However, current campaigns primarily focus on exploiting VPN appliances and software vulnerabilities. Below is a list of techniques NetWalker operators have used or are currently using to gain initial access to a target network.

After infiltrating a network, NetWalker operators use a variety of commonly available tools to harvest credentials, move laterally across the network and exfiltrate data. The ransomware payload is typically delivered via a PowerShell script embedded within the NewWalker ransomware executable. In some cases, the PowerShell script can be executed directly in memory via reflective dynamic-link library (DLL) injection instead of storing it on disk, which helps it evade detection and maintain persistence.

Major NetWalker attacks

Toll Group

Australian transportation and logistics company Toll Group was one of the first major companies to be severely impacted by NetWalker. In late January 2020, NetWalker infected more than 1,000 of the company’s servers, forcing Toll Group to shut down multiple systems, disable several customer-facing applications and revert to manual processes. It took more than six weeks for Toll Group to bring its core services back online.

Healthcare organizations

A number of healthcare organizations in the United States suffered NetWalker infections over the course of 2020. In March, a NetWalker incident disabled the website of Champaign-Urbana Public Health District, a public-health agency in Illinois; in June, NetWalker operators exfiltrated data from Crozer-Keystone Health System, a large health care provider in Philadelphia; also in June, the data of almost 50,000 patients was stolen and encrypted during a NetWalker attack on nursing home operator Lorien Health Services.

University of California, San Francisco

In June 2020, UCSF was infected with NetWalker. The ransomware impacted a number of servers within the university’s School of Medicine, forcing security teams to quarantine several IT systems to prevent the infection from spreading. UCSF made the decision to pay $1.14 million to recover the encrypted data, noting in a press release that “The data that was encrypted is important to some of the academic work we pursue as a university serving the public good.” Within the same week as the UCSF attack, Columbia College, Chicago, and Michigan State University were also hit by NetWalker.

Trinity Metro

In July 2020, Trinity Metro, a Texas-based transit agency responsible for 8 million passenger trips annually, was hit by NetWalker, which impacted customer service and booking systems. On the NetWalker leak site, threat actors posted screenshots of hundreds of files they had stolen during the attack alongside a timer counting down the days until the information would be released. A few days later, Trinity Metro’s name was removed from the NetWalker leak site, indicating that the agency may have paid the ransom.

Authorities seize NetWalker site

In late January 2021, the U.S. Department of Justice announced a coordinated international law enforcement effort to disrupt NetWalker.

An investigation led by the FBI’s Tampa field office resulted in Canadian authorities arresting Sebastien Vachon-Desjardins, a Canadian national who allegedly stole more than $27.6 million as a NetWalker affiliate. Law enforcement also seized $454,530.19 in cryptocurrency payments made by three separate NetWalker victims.

At the same time, authorities in Bulgaria seized computers affiliated with NetWalker. The NetWalker leak site now displays a seizure banner notifying visitors that it has been seized by government agencies.

If decryption keys are discovered on the seized machines, the law enforcement action could potentially help the victims of NetWalker restore their encrypted data.

It is unclear at this stage how the seizure will impact the group’s activities in the long run. We will continue to update this page with new information as it becomes available.

How to protect the network from NetWalker and other ransomware

The following practices may help organizations reduce the risk of a NetWalker incident.

How to remove NetWalker and other ransomware

NetWalker uses sophisticated encryption methods that currently make it impossible to decrypt data without paying for an attacker-supplied decryption tool.

Victims of NetWalker should be prepared to restore their systems from backups, using processes that should be defined in the organization’s incident response plan. The following actions are recommended:

Emsisoft Malware Lab

Emsisoft Malware Lab

The Lab team is a group of cybersecurity researchers whose mission is to enhance protection in Emsisoft products, help organizations respond to security incidents and create analysis that helps decision-makers understand the threat landscape.

What to read next