Credential Theft
- Mimikatz
- ProcDump
NetWalker is a ransomware family and ransomware-as-a-service (RaaS) operation.
Profile source: Mallory opens in a new tabNetwalker
NetWalker is a ransomware family and ransomware-as-a-service (RaaS) operation. The provided content states that it encrypts files on infected machines to extort victims, deletes Shadow Volumes to inhibit recovery, and can use WMI to delete shadow copies. It can detect and terminate active security software-related processes on infected systems, indicating defense-evasion behavior. NetWalker has been described as written in PowerShell, executed directly in memory to avoid detection, with its DLL embedded in the PowerShell script in hex format; related reporting also notes multiple layers of PowerShell obfuscation including Base64, hexadecimal encoding, XOR encryption, and obfuscated functions and variables. The content also references a registry artifact in the form of an added entry under HKEY_CURRENT_USER\SOFTWARE\{8 random characters}. Infection and access vectors mentioned in the content include coronavirus-themed phishing lures, including attacks against Spanish hospitals, .vbs attachments in COVID-19-themed emails, exploitation of Telerik UI for ASP.NET AJAX vulnerability CVE-2019-18935, and compromises of misconfigured IIS-based applications followed by use of tools such as Mimikatz and PsExec before ransomware deployment. NetWalker is associated in the content with the threat actor Circus Spider, which is described as generally targeting hospitals in the U.S. and Spain. Additional ecosystem references note that UNC2628 was believed to partner with multiple RaaS services including NetWalker, and that law enforcement seized NetWalker data leak and payment sites in January 2021, with other reporting in the content referring to the arrest of an affiliate and the program's subsequent demise. The content also notes that Garantex received cryptocurrency proceeds from Russia-linked ransomware attacks including NetWalker.
Ransomware.live
Reported operators
UNC2628 is thought to partner with other RaaS services including REvil and Netwalker.
In a January 2021 thread on Exploit regarding the arrest of an affiliate for the NetWalker ransomware program and its subsequent demise, Wazawaka seems already resigned those limitations.
"January 2020 CIRCUS SPIDER’s NetWalker"
Exploited software
MITRE ATT&CK
Reporting
...processing funds from those related to Conti, Black Basta, LockBit, NetWalker, and Phoenix Cryptolocker ransomware variants.
Garantex has received millions of dollars in cryptocurrency directly from the proceeds of various Russia-linked ransomware attacks, including those involving the Conti, Black Basta, LockBit, NetWalker, and Phoenix Cryptolocker ransomware variants.
Garantex processed more than $100 million in transactions tied to illicit activities including from the proceeds of ransomware attacks involving threat groups like Conti, Black Basta, LockBit, NetWalker and Phoenix Cryptolocker.
Netwalker can delete the infected system's Shadow Volumes to prevent recovery.
"Similar messages also appeared following the disruption of the Hive and NetWalker ransomware operations, respectively."
The University of California San Francisco (UCSF), for example, paid $1.14 million after a ransomware gang, thought to be Netwalker, encrypted servers used by the UCSF School of Medicine.
Netwalker and Egregor reduced their operations since the raids, how do you feel about that?
For example, the NetWalker ransomware uses the PowerShell command below to inhibit system recovery.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.