NetWalker “Malito” Ransomware
I. Targeted Industries
- Higher Education
- Shipping Services
- Financial Institutions
- Private Organizations
- Government Agencies
NetWalker, formerly known as Mailto Ransomware, has recently targeted government agencies and private enterprises. Recently reported attacks related to NetWalker are the same as those that targeted the Australian Toll Group shipping company and the Champaign Urbana Public Health District in Illinois in March. The NetWalker “Malito” Ransomware operators announced their infection to the network of Michigan State University. Five images were published to their site showing stolen documents from the university’s network to a dark web site, owned and operated by the attackers.
III. Background Information
NetWalker “Malito” Ransomware will encrypt and exfiltrate data and demand ransom to release information, similar to the Maze ransomware. It has been spread through Word or Excel files in COVID-19 related phishing attempts and disguises itself as the legitimate password management app, Sticky Password.
Researchers at Sophos discovered a toolset with malware that can help conduct reconnaissance to sniff out valuable information, privilege escalation, credential theft, brute-forcing passwords, and evading intrusion detection tools. One tool used is NLBrute, which the attackers have set up to “break into systems with weakly enabled Remote Desktop Services (RDP).” It also looks for specific vulnerabilities in Windows and legacy server environments that can be exploited. NetWalker relies less on self-made tools and more on tools from the public domain.
“The attackers sometimes get a foothold within an organization, explore the network for a while, then distribute a PowerShell dropper for the ransomware”. Using an obfuscated PowerShell loader script and orchestration tools that use domain controllers, NetWalker distributes the malware to any machine the domain controllers touch. The process ends with the NetWalker payload executed and the malware file is either a DLL or an executable file. The files on the target system are encrypted, and the user finds a ransom message.
- Scheduled Backups
Back up data regularly and store externally.
- Closely Monitor Remote Access Infrastructure
Unusual activity in event logs should be investigated immediately. Ensure there is a password reset for all accounts in case of compromise.
- Malware Monitoring
Continue to monitor and stay informed as new information and advancements occur with the malware.
- Incorporate Known IOCs into IDS
Incorporate the known IOC of the malware into your intrusion detection system to catch any suspicious behavior related to the malware.
- Turn on Attack Surface Reduction Rules
Include rules that block credential theft and ransomware activity.
- Patch Updates
Update consistently and patch vulnerabilities.
- Recommended Link: https://www.us-cert.gov/Ransomware
V. Indicators of Compromise (IOCs)
The link below has been included to assist with the download of some identified IOC’s related to this Threat Advisory Report. Be on the lookout for these IOC’s, as well as anything that looks similar.
(1) Abrams, Lawrence. “NetWalker Ransomware Infecting Users via Coronavirus Phishing.” BleepingComputer. BleepingComputer.com, March 21, 2020. https://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/.
(2) Brandt, Andrew Szappanos, Gabor. “NetWalker Ransomware Tools Give Insight into Threat Actor.” Sophos News, May 27, 2020. https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/.
(3) Cimpanu, Catalin. “Michigan State University Hit by Ransomware Gang.” ZDNet. ZDNet, May 28, 2020. https://www.zdnet.com/article/michigan-state-university-hit-by-ransomware-gang/
(4) Cluley, Graham. “NetWalker Ransomware – What You Need to Know.” The State of Security, May 28, 2020. https://www.tripwire.com/state-of-security/featured/netwalker-ransomware-what-need-know/.
(5) Ilascu, Ionut. “NetWalker Adjusts Ransomware Operation to Only Target Enterprise.” BleepingComputer. BleepingComputer.com, May 19, 2020. https://www.bleepingcomputer.com/news/security/netwalker-adjusts-ransomware-operation-to-only-target-enterprise/.
(6) Vijayan, Jai. “NetWalker Ransomware Tools Reveal Attacker Tactics and Techniques.” Dark Reading. Dark Reading, May 27, 2020. https://www.darkreading.com/attacks-breaches/netwalker-ransomware-tools-reveal-attacker-tactics-and-techniques/d/d-id/1337929