Netwalker Ransomware

What is Netwalker Ransomware exactly?

The Netwalker ransomware is fast-growing ransomware, created by the cybercrime group known as ‘Circus Spider’ in 2019. Circus Spider is one of the newer members of the ‘Mummy Spider’ cybercriminal group. Netwalker behaves in a similar way to other ransomware variants. It establishes an initial foothold via phishing emails and then exfiltrates and encrypts sensitive data to be held hostage for a large ransom.

Netwalker is not content with holding the victims’ data hostage. Circus Spider will publish a small sample of the stolen data online to prove they are serious. Circus Spider published one victim’s sensitive data online in a password-protected folder.

Netwalker Ransomware adopts a RaaS model

Circus Spider decided in March 2020 that Netwalker should be a household name. They decided to grow their affiliate network much like the Maze ransomware gang. Shifting to a ransomware-as-a-service (RaaS) model allowed them to operate on a much larger scale, target more organizations, and increase the size of their ransoms.

RaaS is about recruiting affiliates to assist cybercriminal organizations in their nefarious activities. Netwalker gained momentum quickly, as mentioned above. They were nevertheless relatively small in comparison to other ransomware gangs… and.

Circus Spider required a set of criteria to gain the (dis-)honor of joining their small group of criminals. You can also apply for a criminal job posting if you wish.

The following are their main criteria for affiliates:

  • Network experience
  • They speak Russian, and they don’t accept English speakers.
  • Inexperienced users will not be trained
  • Access to quality targets consistently
  • Experience is proof


To attract the best prospects possible, Circus Spider published a list of features that their new partners, if chosen, will be granted access to.

These include:

  • Panel for TOR chat that is fully automatic
  • Observer rights
  • All Windows devices, starting at Windows 2000 and up.
  • Multi-thread lock with fast speed
  • Locker settings that are quick and flexible
  • Unlocker processes
  • Adjacent network encryption
  • PowerShell that make it easy to manage antivirus software
  • Instant payouts

Who and what does Netwalker Ransomware target?

There has been an increase in Netwalker ransomware attack, which mainly targets education and healthcare institutions, since their March first score. They carried out one of their more publicized against a large university that specializes in medical research. The ransomware had taken the university’s sensitive data and the attackers released a sample of the stolen data to prove that they were not playing games. These data included student applications that contained sensitive information like social security numbers. The victim paid $1.14M to their attackers to decrypt their data.

Netwalker hackers have been trying to exploit the chaos caused by COVID-19. They sent out phishing emails about pandemics and targeted healthcare institutions already affected by the pandemic. One of the first healthcare victims had their site taken down by the ransomware just as the public began to turn to them for advice during the pandemic. They launched a second website and directed users to it, creating confusion and distress for all involved. Netwalker and other ransomware organizations continued to attack healthcare institutions throughout the year, mainly because they have understaffed IT departments that are more focused on other areas.

In addition to healthcare and education, Netwalker targets various other industries including:

  • Manufacturing
  • Solutions for business management
  • Management of customer experience
  • Battery solutions and electromobility
  • Education
  • There are many other options.

What is Netwalker?

Step 1: Phishing, Infiltration

Netwalker relies heavily on phishing and spear-phishing as their method of infiltration. Netwalker often sends emails that look legitimate to lure victims into their web, as is the norm with phishing campaigns. Commonly Netwalker will attach a VBS script named “CORONAVIRUS_COVID-19.vbs” that will execute the ransomware when they double-click the email or open the attached word document that contains the malicious script.

Step 2: Data Encryption and Exfiltration

The script will open on your system and run. This means that Netwalker has officially started to penetrate your network. Once it is infecting your system, the ransomware can transform into a legitimate-looking process. It will usually appear as a Microsoft executable. This is done by injecting malicious code into an executable to gain access to process.exe. This method is known as process hollowing.

Step 3: Data Extortion, Recovery (or Loss),

After Netwalker has completed exfiltrating data and decrypting it, the victim will notice something is seriously wrong and receive the ransom note. The ransom note from Netwalker is fairly standard. It outlines what happened and what the victim must do to get their data back. Circus Spider will then request a set amount in Bitcoins to be paid using a portal called TOR.

After their victims comply with their demands, they will grant them access to their customized decryption tool that allows them to decrypt their data. If they don’t meet their demands, Circus Spider will raise their ransom or release some or all of the stolen data onto the dark web.

Below is a diagram showing Netwalker’s attack path.

Tips to Protect Yourself from Netwalker Ransomware

As they expand their affiliate network, Netwalker becomes more sophisticated and difficult to defend against. It is therefore imperative that you take steps to ensure your safety. Netwalker has done enough damage to catch the U.S. government’s eye, and the FBI’s cybercrime division released a Flash warning, TLP: White, advising organizations to be on the lookout for malicious phishing emails related to the pandemic.

These mitigation measures were recommended by the FBI:

  • Backup critical data offline.
  • Make sure you have backups of important data on the cloud, an external hard drive, or another storage device.
  • Make sure you have backups of your data and that data cannot be modified or deleted from the system where it resides.
  • Regularly update and install anti-virus software on all hosts.
  • Use only secure networks. Avoid public Wi-Fi networks. Use a VPN to protect your network.
  • Two-factor authentication is recommended with strong passwords.
  • Make sure your applications, devices, and computers are up-to-date. Like other ransomware, Netwalker exploits vulnerabilities in your infrastructure and systems to take control over users’ computers. They also hold your data hostage until they pay you.

These procedures can help reduce the ransomware’s damage once it infects your system. However, they are still only mitigation. These procedures can be proactively performed to prevent ransomware from spreading and reduce its damage once it has infected your system. However, prevention education is a powerful weapon against Netwalker.

Do not get caught on this Phishing Trip

Netwalker uses phishing attacks that include malicious executables and links to infect computers. It is important to educate your company about the dangers of these campaigns and what to do to protect your sensitive data. Regular data security training is a great way to prevent malicious emails. These are the things you should do if you get an email asking for you to download a file or share your credentials.

  • Double-check that the email address is the correct domain and name
  • Make sure to check for spelling mistakes in the body and subject
  • Do not share credentials–legitimate senders will never ask for them
  • Do not open attachments or download suspicious links
  • Inform the person responsible for your IT security of suspicious emails

To ensure that your social engineering education made an impact on your security measures, we also recommend running attack simulations. Fake phishing emails can be a great way for your organization to measure the effectiveness of your security training and identify those who may need extra assistance. To track user interactions, you can monitor the metrics to see who opens any attachments or links, gives out their credentials, or reports it to your organization.

Varonis: How Varonis can help

Protecting sensitive data is possible by educating your organization about ransomware-related, phishing attacks. But taking your defenses a step further with proactive threat detection and data security can limit your exposure to damaging consequences even further.

Protect yourself with behavior-based threat detection

Varonis alerts you to signs of compromise by ransomware groups with a behavior-based threat model for each stage of the kill chain. We create profiles for users across multiple platforms by combining subtle deviations from email behavior with suspicious logins, network connections, and data access. These unique combinations allow us to catch threats that other security solutions fail to detect and produce few false positives.

Varonis can detect phishing attempts through monitoring Microsoft Exchange and Exchange Online mailboxes. It will look for malicious file attachments matching a list of patterns found in ransomware spam templates.

With Edge’s proxy-based detections, customers can also detect when a user downloads an attachment or clicks on a link within the body of an email that results in a malicious Netwalker loader download.

Varonis’ behavior-based threat identification will alert Varonis if a compromised account starts accessing sensitive information. Varonis employs multiple behavior models to determine how users use data and detect when they access unusual amounts of data. Varonis can distinguish between automated and manual actions. It can also detect when a user starts to exfiltrate or encrypt files in an unusual manner and stop the ransomware from spreading. Many customers use automated responses to stop this type of behavior. This disables the account and kills active connections.

By watching file system activity, Varonis quickly detects when ransomware saves known penetration tools to disk (a common Netwalker tactic), or when a user searches file shares for files containing passwords or other sensitive data. These searches can often prove fruitful because a given user account has access to far more data than they need.

You can get to the least privilege and reduce your attack surface

It is crucial to have the right detection system in place to protect your company from ransomware. It is equally important to ensure that ransomware is not detected at the beginning. This can be achieved by organizations by limiting the amount of data they have made public, which will limit the potential for encryption or theft. Varonis can identify data that is too accessible and automates the processes to secure it. This will allow you to not only limit your attack surface but also reduce the potential damage that ransomware infections can cause.

Keep alert and keep on top of things… Time is of the essence

You should act immediately if you suspect you are a victim of the Netwalker Ransomware. To find the affected files and to restore them, run a query that displays all file accesses and modifications made by users over time. For free assistance in investigating an incident, you can call our highly-respected Incident Response Team.

Protect Yourself – Receive a Ransomware Preparedness Assessment for Free

Ransomware is becoming more sophisticated and difficult to detect. To stay ahead, organizations need to be proactive in limiting their attack surface and implement effective detection methods. Varonis has extensive knowledge in the detection and prevention of ransomware infections. To see where you might be vulnerable and gauge your readiness for a potential attack, sign up for a free ransomware preparedness assessment. We will provide you with a customized report tailored to your environment. Additionally, we can help you determine what remediation steps can be taken to protect your company from an attack.