Full Report
Executive Summary The NetWalker ransomware, initially known as Mailto, was first detected in August 2019. Since then, new variants were... The post Take a “NetWalk” on the Wild Side appeared first on McAfee Blog.
Analysis Summary
# Tool/Technique: NetWalker Ransomware (formerly Mailto)
## Overview
NetWalker is a ransomware variant that transitioned into a Ransomware-as-a-Service (RaaS) model. It encrypts victim files and employs data exfiltration, threatening to publish the data if the ransom demand is not met. The group seeks technically advanced, Russian-speaking affiliates with existing footholds in large networks.
## Technical Details
- Type: Malware family (Ransomware)
- Platform: Unknown/Implied Windows (based on file details and typical ransomware targets)
- Capabilities: File encryption (Salsa20), RaaS operation, data exfiltration, reflective DLL loading for defense evasion, Tor-based victim communication.
- First Seen: August 2019
## MITRE ATT&CK Mapping
*Note: Specific mappings are not explicitly detailled in the text, but standard ransomware TTPs are listed where implied.*
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Implied via Tor/Dark Web communication)
- **TA0005 - Defense Evasion**
- T1055 - Process Injection
- T1055.011 - DLL Side-Loading (Explicitly mentioned: reflective DLL loading)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Implied by demand for affiliates who can "exfiltrate data with ease")
- **TA0003 - Persistence / T1566 - Phishing** (Implied initial access vector/delivery)
## Functionality
### Core Capabilities
- Encrypts files using the Salsa20 encryption algorithm.
- Modifies ransom note and contact method over time (transitioning from email to a Tor interface).
- Threatens to publish stolen data on the dark web if the ransom is not paid.
- Prioritizes targeting large organizations.
### Advanced Features
- **Ransomware-as-a-Service (RaaS):** Operators recruit and incentivize affiliates to deploy the malware.
- **Defense Evasion:** Utilizes **reflective DLL loading** to inject a DLL directly from memory, aiming to bypass traditional file-watching detection mechanisms.
- **Configuration Storage:** Stores its entire configuration (encryption mode, ransom note details, contact info) within a custom resource block (Type 1337 or 31337) within the malware binary.
- **Configuration Decryption:** Uses the **RC4 algorithm with a hard-coded key** to decrypt the configuration data extracted into memory.
- **Communication Shift:** Moved communication from anonymous email services to a dedicated **Tor interface** for technical support and key submission post-March 2020.
## Indicators of Compromise
- File Hashes: SHA256: `58e923ff158fb5aecd293b7a0e0d305296110b83c6e270786edcc4fea1c8404c` (Associated with file named `wwllww.exe`, size 96256 bytes)
- File Names: `wwllww.exe` (example executable name)
- Registry Keys: [Not specified in context]
- Network Indicators: Tor interface used for victim communication. C2/support contact involves a Tor hidden service interface.
- Behavioral Indicators: Attempts to inject DLLs via reflective loading; appends a random extension to infected files.
## Associated Threat Actors
- The NetWalker Collective (RaaS operators)
- Unspecified criminal affiliates (Recruited via RaaS program)
## Detection Methods
- Signature-based detection: McAfee protects customers using antivirus and endpoint/gateway products.
- Behavioral detection: Monitoring for reflective DLL loading techniques and memory injection.
- YARA rules: [Not specified in context]
## Mitigation Strategies
- Utilizing robust endpoint protection that includes behavioral monitoring (like McAfee products mentioned).
- Applying layered security architecture adaptable to evolving ransomware threats.
- Ensuring security tools can detect in-memory execution techniques like reflective DLL loading.
## Related Tools/Techniques
- Other RaaS models mentioned: Maze, REvil.
- Previous name: Mailto ransomware.