As explained in other articles on ransomware, these cyber-attacks have become extremely important for users and companies, not so much because of the number of attacks themselves (in some cases they can be massive), but rather the great economic benefit obtained with this practice, resulting in the appearance of many groups specialized in its development, as well as the reputational damage it entails for victims.
This post seeks to provide information about NetWalker ransomware, also known as Mailto or Koko, which has been used in a recent malware campaign distributed under emails pretending to provide information about the current status of the COVID-19 health alert.
RaaS business model
Before getting into technical details, we should first understand the business model of the actors responsible for NetWalker. The threat began operating in September 2019, but it was not until 19 March 2020 when the user with the alias Bugatti unlocked the opportunity for other cybercriminals to join the group as part of a RaaS (Ransomware as a Service) business model:
- Figure 1: Conditions for joining NetWalker. Source: El Mundo -
Its corresponding English translation is:
[PARTNER] Netwalker Ransomware We’ve opened a set of advertisements to process networks and spam. Interested in people who work towards quality, not quantity. We prefer those who can work with large networks and have their own material. We recruit a limited number of partners and stop recruiting until there are openings. We offer fast and flexible ransomware, an administration panel in TOR and automatic service. Access the service through encrypted files from AV. For verified ads, we deliver prepared material (IP \ admin domain account \ NAS access \ AV information \ organization name \ revenue) for network processing. The ransomware has been operating since September 2019 and has proven itself, it cannot be deciphered. You will receive all the detailed information about ransomware and working conditions after compiling the application in the private message. Request form: 1) What direction are you working in? 2) Experience. What affiliate programs have you worked with and what were the benefits? 3) How much material do you have? When are you ready to begin? How much of the material do you plan to process?
In an article from 18 March in the BleepingComputer web portal, the operators responsible for NetWalker were asked if they would attack hospitals, and they made it clear that they were not the target, responding as follows:
"Hospitals and medical facilities? Do you think someone has a goal to attack hospitals? We don't have that goal - it never was. It coincidence. No one will purposefully hack into the hospital."
Analysis of associated files
The sample of NetWalker ransomware analyzed has been distributed using a dropper developed in Visual Basic Script (VBS), that is included as an attached file in the spam campaign. It is an encrypting ransomware, in other words, it prevents access to user data by encrypting the files on the device, while maintaining access to the device.
On 18 March this year, the file CORONAVIRUS_COVID-19.vbs was analyzed for the first time in the tool VirusTotal and, as of 31 March, 32 of the 59 antivirus engines managed by VT have classified the sample as malicious, as shown in the following image:
- Figure 2: Analysis of VirusTotal for CORONAVIRUS_COVID-19.vbs -
In Figure 2, the different hash codes (MD5, SHA-1 y SHA-256) associated with the dropper can be identified.
At the same, this dropper file contains an embedded binary, executable for Windows systems, that has numerous aliases (WTVConverter.exe, qesw.exe y qeSw.exe), the analysis of which for VirusTotal can be seen below:
- Figure 3: Analysis of VirusTotal for qeSw.exe -
The execution of the NetWalker is divided in four phases:
- The malicious code imports the operations of the Windows libraries that will be used during the rest of the execution.
- The ransomware configuration file, which contains various parameters regarding encryption and ransom, is extracted from the resources of the executable.
- Variable initialization, such as the affected user’s identifier.
- Main procedure where the file encryption process would take place.
Before encryption, shadow copies (volume snapshots) will be removed by running vssadmin.exe in a hidden window, in order to prevent the recovery of encrypted files from the backup generated by the VSS (Volume Shadow Copy) service:
<SYSTEM32>\vssadmin.exe delete shadows /all /quiet
The encryption process generates a 6-character unique identifier (ID of the affected user) which it uses as an extension for encrypted files and as part of the name of the ransom notes:
Original name: file93.docx Name after encryption: file93.docx.46X19p Ransom note generated in the same path "46X19p-readme.txt"
The instructions to decipher the files when a computer is affected by NetWalker ransomware are shown below:
- Figure 4: NetWalker ransom note. Source: PCrisk -
This note requests the installation of Tor Browser, the website accessible from the TOR network is provided, as well as the NetWalker victim’s personal code, which must be entered on the following website:
- Figure 5: Payment gateway accessible from the TOR network Source: El Mundo -
Once the user has been identified, they note that the initial ransom price is 1,000 dollars, but that amount will double if not paid within a week. The address provided for payment is unique for each infection.
Analyzing the NetWalker modus operandi, and given the nature of its code, it does not try to establish persistence in the affected system or carry out lateral propagation, nor is there any network traffic to other machines Furthermore, the executable responsible for the encryption self-deletes after completing the execution.
The first and main recommendation in the cases of ransomware is to never pay the ransom requested by the cybercriminals. This does not guarantee that, once the payment is made, they will respond and return the infected computer to normal by delivering the decryption key.
Unfortunately, at this time there is no known decryption solution for this ransomware and therefore the following general measures should be considered:
- Isolate the computer from the network to prevent the cyber-attack from spreading to other devices, taking into account hard drives, network units or services in the cloud that may be connected.
- Clone the entire hard drive to preserve the original device and, in this way, try to recover the data from the cloned drive. If there is currently no solution, as is the case with NetWalker, it is possible that it will be developed in the future, so the encrypted files could be recovered.
- Clean the cloned disk in order to try and subsequently recover the data, using an appropriate tool.
- Finally, once it is confirmed that the malware has been removed from the computer, it is recommended to change all passwords that have been used on the affected computer.
Preventative and protective measures
Among the preventative measures to be taken, it is important to highlight the following:
- Do not download files that are suspicious, unusual or from an unknown sender.
- Periodically carry out backups so that systems can be re-established quickly, with minimal possible information loss and operative impact.
- Improve the segmentation of the network in order to prevent massive propagation of the threat.
- Review and strengthen, where necessary, the security policies of the organization.
- Never pay the ransom, the incident should be reported through the CSIRT (Computer Security Incident Response Team) of reference.
Netware is a relatively new ransomware (September 2019) that has evolved in the past few months, although there is no evidence of victims affected or suffering the consequences to date.
It should also be noted that, although attempts have been made to take advantage of the alarm situation caused by COVID-19, the creators of the ransomware themselves have clearly stated that hospitals are not the target.