What is Netwalker ransomware?
Netwalker, also known as Mailto, is a type of ransomware that renders its target’s files inaccessible and demands a ransom to restore access to them. Netwalker ransomware went rampant during the Covid-19 pandemic, targeting mostly healthcare institutions and businesses, but this strain of ransomware is still active today. So how do hackers carry out Netwalker ransomware attacks, and what can you do to prevent this type of ransomware from harming your organization?
Table of Contents
Table of Contents
How does Netwalker ransomware work?
Netwalker ransomware definition
Netwalker ransomware is a type of malicious software that encrypts a victim’s data, rendering it inaccessible, and then demands a ransom in exchange for the decryption key. It primarily targets businesses and organizations, often exploiting vulnerabilities in remote access tools or using phishing emails to gain entry. Once inside the network, Netwalker ransomware can spread quickly, encrypting files on both local and network drives.
The ransomware gang called the Circus Spider came up with Netwalker attacks, which infect their target’s computer with malware through a phishing attack. Usually, they send you an email containing malicious links or attachments. These phishing emails resemble legitimate emails from healthcare and education institutions to trick you into clicking the link or opening the attachment, which contains a malicious VBS script that executes the malware infection process.
You might not even know that you are being hacked, because Netwalker malware disguises itself as a Microsoft executable file. The malware extracts the code from a legitimate executable and injects its malicious code into it, which is known as “process hollowing.” Undetected, it can spread from your device to other devices on the same network. Netwalker ransomware exfiltrates data and locks your files using robust encryption algorithms. It also deletes backups and creates backdoors without raising anyone’s suspicion.
You only realize what happened after you receive a ransom note. Your sensitive data has been exfiltrated and encrypted, and the hackers might have even posted some of the stolen data on the dark web as proof that they have it. Now you are forced to pay the ransom (usually in cryptocurrency) to regain access to your files. Otherwise, your files will be permanently deleted. The hackers will promise to give you a decryption key after you pay, but you should not trust them — you might end up paying for nothing.
Who is the target?
The Circus Spider hacking group behind the Netwalker attacks typically targets corporate networks, government organizations, healthcare or education institutions, and other larger organizations in the private sector. This cybercriminal group became infamous for adopting the “ransom as a service” model and recruiting “affiliates” to infect targeted organizations’ computers with malware. If the attacks are successful, Netwalker ransomware developers share the profit with their affiliates.
How do I know if my device has been infected?
Netwalker ransomware displays multiple signs of infection, some obvious, like a ransom note, and some more inconspicuous. The symptoms of Netwalker ransomware infection include:
- You cannot access your files. The most common sign of a malware infection is the inability to open files. When trying to open a file, you will receive an error message saying the file format is not recognized or that the file is corrupted.
- A different file extension. Netwalker ransomware changes the extension of the encrypted files. For example, instead of “filename.docx” you could see the extension change to something else like “filename.docx.[new.extension].”
- Slow computer performance. You might notice that your computer has suddenly slowed down or behaves unusually, because the encryption process uses significant system resources.
- A ransom note. The most apparent indication of a Netwalker attack is a ransom note that appears on your device’s desktop or in a folder containing encrypted files after your data has been stolen and encrypted. It includes a ransom demand and instructions for paying the ransom to keep your files unencrypted.
What causes Netwalker ransomware attacks?
- Phishing and spear-phishing attacks are the most common ways for Netwalker ransomware to spread. Hackers from the Circus Spider group and their Netwalker ransomware affiliates send many generic emails and targeted emails to trick unsuspecting people into clicking malicious links or downloading attachments and infecting their computers.
- Social engineering. Social engineering tactics involve psychological manipulation, influencing, or deceiving people into disclosing sensitive data, such as passwords and login credentials, that make it possible for cybercriminals to access a protected device or system.
- The exploitation of software vulnerabilities is another way that Netwalker spreads. You should keep your systems up to date with the latest patches and updates to protect them from cyber attacks.
- Insufficient network security. Unsecure networks are more accessible for hackers to breach. Unsecured or poorly secured Remote Desktop Protocol (RDP) connections can also become great entry points for ransomware attacks.
What should I do after my device has been infected?
If you suspect or know that Netwalker has attacked you, you should take immediate action to mitigate the damage and prevent the ransomware from spreading further. First, you should disconnect your computer from the network. This way, you will protect other computers and systems on the network.
Next, report the cybercrime to your system administrator and local authorities, spread the word in your organization, and warn your colleagues to beware of Netwalker. Take screenshots of the ransom note and any other communication with the Netwalker attackers as evidence to help with the investigation.
Then you should contact cybersecurity professionals or your organization’s IT department to help you assess the damage, possibly decrypt the files, and strengthen cybersecurity measures to prevent future attacks. If they can, cybersecurity specialists will remove the ransomware so you do not have to pay the attackers. Paying ransom is highly discouraged because you have no guarantee you will regain your access to sensitive data, but you will encourage future criminal activity by legitimizing the hackers’ tactics.
If you regularly back up your data, you should be able to restore your files once the ransomware has been removed. Just make sure you are restoring your data from a backup made before the Netwalker ransomware infection. Lastly, learn from this bitter experience and take measures to prevent similar attacks in the future.
How to prevent Netwalker ransomware
The best defense from ransomware is prevention and robust security measures. Make sure to follow this list to protect your sensitive data and prevent a potential ransomware attack:
- Back up your data on external hard drives. Alongside cloud storage, you should regularly back up your data on external drives. This way, even if your system gets infected with ransomware and cybercriminals encrypt your files, you can still recover your data.
- Implement two-factor authentication or multi-factor authentication. Enable two-factor authentication or multi-factor authentication for all of your processes. With these measures in place, intruders cannot access your system even if they discover the password.
- Update endpoint passwords. Update your passwords regularly and make sure they are strong and unique.
- Install software patches and updates. Regularly update your operating system and applications to patch vulnerabilities that hackers can exploit.
- Use antivirus and anti-malware software. Robust antivirus and anti-malware solutions can detect and block many types of malware, including ransomware. Just keep the software up to date.
- Monitor and strengthen your cybersecurity. Reach out to cybersecurity specialists to help you implement necessary measures so you can boost your cybersecurity and monitor your system for suspicious activity. IT specialists can also help you implement behavior-based threat detection systems that detect and flag unusual activity that signals security breaches, such as modification of system files, unusual network requests, or attempts to access sensitive data.
- Use a VPN. If you need to connect to your network remotely or use public networks, use a virtual private network to protect your connection and online traffic.
Examples of hash usage
Netwalker ransomware is Windows-specific ransomware, which means that it primarily targets computers running Windows operating systems. Hackers responsible for Netwalker send phishing emails disguised as legitimate, urgent messages from businesses and healthcare institutions. These phishing and spear phishing emails contain malicious attachments that, if opened, infect your computer with ransomware. Your files are exfiltrated and encrypted, and you get a ransom note demanding instant payouts. Hackers also threaten to release your private data on the dark web if you don’t pay up. In essence, Netwalker operates in a similar way to Ryuk ransomware.
Netwalker ransomware only infects devices running Windows, so computers using the Linux operating systems and macOS are safe from Netwalker. However, the cyberthreat landscape is constantly evolving. Overtime, new versions of ransomware targeting Linux and macOS could emerge, so be vigilant and take preventative measures to protect your devices from online threats.