{
	"id": "be364fbc-48dd-4b4c-912a-54d2c20e56ce",
	"created_at": "2026-04-06T00:19:16.449205Z",
	"updated_at": "2026-04-10T03:24:29.196365Z",
	"deleted_at": null,
	"sha1_hash": "6205e94c2c6549f22ad15c875421b85e9727cd20",
	"title": "NetWalker Ransomware - What You Need to Know | Tripwire",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51394,
	"plain_text": "NetWalker Ransomware - What You Need to Know | Tripwire\r\nBy Graham Cluley\r\nPublished: 2020-05-28 · Archived: 2026-04-05 23:21:41 UTC\r\nWhat is NetWalker?\r\nNetWalker (also known as Mailto) is the name given to a sophisticated family of Windows ransomware that has\r\ntargeted corporate computer networks, encrypting the files it finds, and demanding that a cryptocurrency payment\r\nis made for the safe recovery of the encrypted data.\r\nRansomware is nothing new. Why should I particularly care about NetWalker?\r\nNetWalker, like the Maze ransomware and a small number of other ransomware families, aggressively threatens to\r\npublish victims' data on the internet if ransoms are not paid.\r\nSo it's not just a case of reaching for your backup?\r\nWell, that's a good start. If your backup is up-to-date and it hasn't been compromised by the attack then at least\r\nyou can get your data back, and have some chance of getting your systems operational again. Of course, you'll\r\nwant to ensure that your systems are properly secured and that hackers haven't maintained access to your systems,\r\nas it's possible you will fall victim again. But there remains the problem of the exfiltrated data. If that's released by\r\nthe NetWalker gang then there are clear dangers - not only to your business, but also to your partners and\r\ncustomers. Rebuilding trust and your corporate reputation is not likely to be easy or inexpensive. This is worse\r\nthan a regular ransomware attack.\r\nNasty. How do they infect your computer system in the first place?\r\nThe NetWalker gang has not been shy of exploiting the COVID-19 pandemic to infect computer systems,\r\nexploiting interest in information amongst the general population as well as targeting individuals and entities\r\nworking in the health industry. Poisoned emails sent by the group disguise themselves to appear related to the\r\nCoronavirus crisis, but when recipients click on the attached Word or Excel file their computers are compromised.\r\nIn addition the ransomware has masqueraded as the legitimate password management app Sticky Password. If a\r\nuser ran the bogus version of Sticky Password, their files would begin to be encrypted.\r\nIs that all?\r\nUnfortunately not. The NetWalker gang sees itself very much as \"ransomware-as-a-service\" (RaaS), providing the\r\ntools and infrastructure for others to launch ransomware attacks in return for affiliate payments.\r\nAffiliates?\r\nhttps://www.tripwire.com/state-of-security/featured/netwalker-ransomware-what-need-know/\r\nPage 1 of 3\n\nI'm afraid so. As Advanced Intelligence describes, the NetWalker gang is posting on dark market forums, inviting\r\nother criminals to become affiliates and help them spread the ransomware. Preference is being given those with\r\nproven experience in cybercrime and existing access to corporate networks.\r\nWoah! They're recruiting people who have already hacked into company networks?\r\nYes. I guess the thinking is, \"if you've managed to compromise a company network and can't work out how to\r\nmake any money out of it - here's our ransomware, go have some fun...\"\r\nSurely the authorities are going to be hunting for these guys?\r\nI'm sure some are keen to apprehend them. However, the NetWalker gang notably prohibits affiliates from\r\ninfecting systems belonging to Russia and the CIS - presumably in an attempt to prevent local law enforcement\r\nfrom being encouraged to investigate the hackers' profitable activities.\r\nDoes that mean the hackers behind NetWalker are likely to be from that part of the world?\r\nI suspect there's a high probability of that.\r\nWhat organisations has NetWalker managed to infect?\r\nVictims have included Australian transportation and logistics firm Toll Group, the Champaign Urbana Public\r\nHealth District (CHUPD) in Illinois, the city of Weiz in Austria, and most recently Michigan State University.\r\nSounds like they've been busy. How can I protect my business?\r\nYou should continue to follow best practices - that means making secure offsite backups, running up-to-date\r\nsecurity solutions, and ensuring that your computers are properly patched against the latest vulnerabilities. In\r\naddition, ensure that any passwords are being used are unique and hard-to-crack, and that multi-factor\r\nauthentication is in place to make it harder for unauthorised users to gain access to critical systems. In addition,\r\nraise awareness amongst your staff about security threats and the different tricks used by cybercriminals to gain\r\naccess to sensitive data. And if you do have sensitive data (trust me, you do) make sure that whenever possible it\r\nis strongly encrypted.\r\nIf our company is hit by NetWalker, should we pay the ransom?\r\nAs I said previously with the Maze ransomware, ultimately that's a decision that only your business can make.\r\nPaying money to ransomware extortionists makes the problem worse for everyone on the internet as it encourages\r\nthem to launch more attacks. But then you may understandably feel that your company has no choice if it wants to\r\nsurvive. Whatever you decide, work with law enforcement agencies to inform them about what has happened, and\r\nhelp them to investigate who might be behind the attacks. Check out this webinar to learn more about how\r\nleveraging basic security controls will help protect and detect ransomware attacks before significant damage is\r\ndone: https://www.youtube.com/watch?v=udwr3V0ojIA\u0026feature=emb_title\r\nhttps://www.tripwire.com/state-of-security/featured/netwalker-ransomware-what-need-know/\r\nPage 2 of 3\n\nEditor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not\r\nnecessarily reflect those of Tripwire, Inc.\r\nSource: https://www.tripwire.com/state-of-security/featured/netwalker-ransomware-what-need-know/\r\nhttps://www.tripwire.com/state-of-security/featured/netwalker-ransomware-what-need-know/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.tripwire.com/state-of-security/featured/netwalker-ransomware-what-need-know/"
	],
	"report_names": [
		"netwalker-ransomware-what-need-know"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434756,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6205e94c2c6549f22ad15c875421b85e9727cd20.pdf",
		"text": "https://archive.orkl.eu/6205e94c2c6549f22ad15c875421b85e9727cd20.txt",
		"img": "https://archive.orkl.eu/6205e94c2c6549f22ad15c875421b85e9727cd20.jpg"
	}
}