MA-792.092020: MyCERT Alert - Increase of NetWalker Ransomware Attacks

  • 18 Sep 2020
  • Alert
  • netwalker; ransomware; ecrypted; bitcoin

1.0 Introduction

MyCERT has received several incidents recently targeting Malaysia’s corporate networks with Netwalker ransomware that demands victim’s payment in bitcoin. As a preventive measure, MyCERT release this alert to advise organization to take necessary steps to secure their systems against unwanted incidents as well from other security threats.

NetWalker (also known as Mailto) is a Windows ransomware that is targeting corporate computer networks and encrypts the files of the compromised devices.[1] Following the behavior of many ransomware, the adversaries behind demands cryptocurrency payment to be made for the safe recovery of the encrypted data. NetWalker was discovered in August 2019 has gathered all the attention required to scare off corporate clients and has been targeting organizations in targeted attacks. Recently, the tactics evolved and threatens to leak data that was exfiltrated during the attach which added more damage to the affected organization.[1]

NetWalker operates as a closed-access RaaS — Ransomware-as-a-Service portal. Different groups and hackers sign up and go through a vetting process, after which they are granted access to a web portal where they can build custom versions of the ransomware.[1]

2.0 Tactics, Techniques and Procedure

Figure 1: NetWalker TTP

The initial access could be from three aspect as depict in Figure 1, which are using exploits, and also compromised accounts. Previously, spear-phishing was also a common technique used for initial access and directly infect the specific host. The tactics have now evolved such that the ransomware payloads are executed in later stages of the attack with the initial stages focused on obtaining a foothold on the network, moving laterally and exploiting additional systems, exfiltrating data from victim machines and finally executing the ransomware payload.

The adversary will bruteforce the admin credential and used RDP connection to login on to the internal network environment. After gaining control over a domain admin account, adversary will virous of other tools to deploy various payloads and access data.

From here, they continue to exploit IIS-based applications or VPN services and dropped Mimikatz to steal credentials, which they then used to launch PsExec. They also turned on Windows Remote Management for persistent control using stolen domain admin privileges. To weaken security controls in preparation for ransomware deployment, they manipulated various settings through Group Policy. The ransomware is capable of traversing network shared folder and encrypting the found files.

They established fileless persistence using scheduled tasks and services that launched PowerShell-based remote shells. Once the ransomware process is running, it starts to generate a unique ID and file extension to be used during the encryption process. Registry keys are then created according to the unique ID.

[HKCU\SOFTWARE\<personal code>]
[HKU\SOFTWARE\<personal code>]

The ransomware deletes Volume Shadow copies to prevent users restoring their files. After that, it will start searching for all files and skip certain files, folders and terminate selected system processes. Each folder containing encrypted files will include a ransom note as Figure 2 below.

Figure 2: Sample of ransom note

The ransom note that belongs to NetWalker variant are mostly detectable using the same format in blue box in figure 2. The ransom note will include steps to be taken by victims in pursuing for payment to decrypt the affected files and folders.

Figure 3: Data collected by adversary to be displayed in dark web

The adversary also collects confidential data that belongs to the victim and upload those data in their own dark web forum provided in the ransom note. The forum is being use to keep track of extortion time limit before publicly publishing the collected data should the payments were not made during the time proposed.

3.0 Recommendations

Attached below are some recommendations for preventive measures and mitigation steps against these attacks:

  • Follow a strict patching protocol of both operating systems and all the applications that run on them including your network appliance e.g firewall and VPN settings.
  • Complete, regular vulnerability scans and penetration tests across the network.
  • Perform periodic assessments, using third-party tools like Censys or Shodan, to identify publicly accessible services and ports across your public-facing IP address space, then close them.
  • Restrict access to port 3389 (RDP) by only allowing staff who use a VPN to be able to remotely access any systems. Restrict VPN access to specific IP addresses, ranges, or geographies that your organization wishes to allow remote access.
  • Require the use of multi-factor authentication for sensitive internal systems, even for employees on the LAN or VPN.
  • Improve the segmentation of the network in order to prevent massive propagation of the threat and strengthen, where necessary, the security policies of the organization.
  • Improve password policies: Encourage employees to use secure password managers, longer passphrases and the non-reuse of passwords for multiple accounts and used password expiry settings so that password needs to be change after few months and reused password is not allowed.
  • Improve account access controls: Enact sensible policies to secure idle accounts; automatically lock accounts and alert IT staff after a number of failed login attempts.
  • Real-time monitoring with a goal of identifying and, if necessary, locking down unusual account activity quickly. Perform drills and improve the response time of the IT staff in charge of this task
  • Educate staff about security risks by running regular phishing tests.
  • Backup & implement backup policy. Periodically carry out backups so that systems can be re-established quickly, with minimal possible information loss and operative impact.
  • Do not download files that are suspicious, unusual or from an unknown sender.
  • Never pay the ransom, the incident should be reported through the CSIRT (Computer Security Incident Response Team) of reference.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 - 8008 7000 (Office Hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT

5.0    References

Showing 1-1 of 1 item.
(not set)