{
	"id": "dc65aad1-a8a9-462d-a9a7-96a93a0b1c3d",
	"created_at": "2026-04-06T00:17:19.082732Z",
	"updated_at": "2026-04-10T13:12:49.938685Z",
	"deleted_at": null,
	"sha1_hash": "bebfd582a7ec707b9788ddcc713b3b51465b1f87",
	"title": "Cybereason vs. NetWalker Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1628332,
	"plain_text": "Cybereason vs. NetWalker Ransomware\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 19:21:53 UTC\r\nThe NetWalker ransomware has been one of the most notorious ransomware families over the course of the past\r\nyear, targeting organizations in the US and Europe including several healthcare organizations, despite several\r\nknown threat actors publicly claiming to abstain from targeting such organizations due to COVID-19.\r\nKey Findings\r\nWorldwide Threat: NetWalker was employed in attacks across a variety of industries around the world, which\r\ncaused great damage to many organizations.\r\nEncrypting Mapped Drives: NetWalker encrypts shared network drives of adjacent machines on the network.\r\nDouble Extortion Operations: The threat actor behind NetWalker threatens to publicly reveal stolen data if\r\npayments are not made.\r\nHigh Severity: The Cybereason Nocturnus Team assesses the threat level as HIGH given the destructive potential\r\nof the attacks.\r\nDetected and Prevented: The Cybereason Defense Platform fully detects and prevents the NetWalker\r\nransomware. \r\nCybereason Blocks NetWalker Ransomware\r\nhttps://www.cybereason.com/blog/cybereason-vs.-netwalker-ransomware\r\nPage 1 of 10\n\nNetWalker ransomware first surfaced in August of 2019 (first dubbed Mailto). The group behind NetWalker\r\noperates a Ransomware-as-a-Service (RaaS) business model, which means they provide their infrastructure, tools\r\nand support in exchange for affiliate payment.\r\nNetWalker operators have adopted the recent popular trend among ransomware purveyors:double extortion. In\r\naddition to demanding a ransom for the encrypted files, the group behind NetWalker steals sensitive data and files\r\nfrom its victims. The group extorts the victims by threatening to leak the stolen data unless ransom is paid. This\r\ntechnique renders the practice of data backups all but moot in combating the impact from ransomware attacks.\r\nOther known ransomware groups that leverage the double extortion paradigm are Maze, REvil, and\r\nDoppelPaymer.\r\nThe group behind NetWalker also maintains a blog on the Darknet where the group publishes information about\r\nits new victims alongside a countdown to the deadline for the ransom to be paid. If the time limit has expired and\r\nno ransom has been paid, the stolen data is published to this blog:\r\nNetwalker Blog\r\nThe targets of NetWalker belong to various sectors, among them educational facilities, local government,\r\nhealthcare providers, and private companies. In June of 2020, three US universities were  targeted with the\r\nransomware: the University of California San Francisco, Michigan State University, and Columbia College of\r\nChicago. \r\nDifferent government facilities were victims of NetWalker in Austria and Argentina in the past year as well. The\r\nattackers behind NetWalker do not pass on healthcare facilities as well - it has been reported that NetWalker has\r\nattacked Wilmington Surgical Associates and 13GB of data was stolen. Other healthcare facilities have been\r\ntargeted as well, among them Crozer-Keystone Health System.\r\nOther companies that fell victim include NameSouth, a US-based auto parts distributor, K-Electric, an electricity\r\nprovider in Pakistan, and Toll Group Deliveries, an Australian transportation and logistics company.\r\nInfection\r\nhttps://www.cybereason.com/blog/cybereason-vs.-netwalker-ransomware\r\nPage 2 of 10\n\nThe NetWalker ransomware has operators have been observed to using several different methods to infect an\r\norganization, these including the abuse of COVID-19 topics for phishing mails, weak credentials for Remote\r\nDesktop Protocol (RDP), exposed web applications and unpatched VPNs. According to a Federal Bureau of\r\nInvestigation (FBI) Flash Alert, “two of the most common vulnerabilities exploited by actors using NetWalker are\r\nPulse Secure VPN (CVE-2019-11510) and Telerik UI (CVE-2019-18935).”\r\nFor example, Cybereason observed an attack that started with a VBS file was attached to a phishing email with a\r\nCOVID-19 lure content:\r\nCORONAVIRUS_COVID-19.vbs script\r\nUpon execution, the script will drop the ransomware to “%temp%” and execute NetWalker:\r\nCORONAVIRUS_COVID-19.vbs script deploys NetWalker as seen in Cybereason\r\nIn other cases, the ransomware was deployed following an interactive hacking operation using a ported-version of\r\nthe ransomware payload that was injected to explorer.exe by a PowerShell script:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-netwalker-ransomware\r\nPage 3 of 10\n\nPowerShell payload injects NetWalker as seen in Cybereason\r\nRansomware Analysis\r\nAs a means of evasion, NetWalker does not directly declare its Windows API imported function in the import\r\ntable. Instead, the ransomware dynamically resolves all of its API as a technique used to make static analysis\r\nharder. NetWalker compares a CRC32 hashed value of an API name to the exports of specific modules, then it\r\nbuilds a struct that holds the address of NetWalker’s API:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-netwalker-ransomware\r\nPage 4 of 10\n\nNetWalker dynamically loads API\r\nAfter resolving the needed API, NetWalker loads the ransomware configuration. The configuration is saved in the\r\nransomware resources and is RC4 encrypted:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-netwalker-ransomware\r\nPage 5 of 10\n\nNetWalker configuration file\r\nThe configuration file holds the following information:\r\nParameter Description \r\nmpk Public key\r\nhttps://www.cybereason.com/blog/cybereason-vs.-netwalker-ransomware\r\nPage 6 of 10\n\nmode Encryption mode\r\nspsz Encryption chunk size\r\nthr Threading limit\r\nnamesz Length of generated named of persistence executable\r\nidsz Length of generated id\r\nlfile Template for the ransom file name\r\nonion TOR site\r\nlend Base64 encoded template of the ransom note\r\nwhite Whitelist of directories, files, and extensions\r\nkill Processes and Services to terminate, as well as a task to do after encryption. \r\nnet Flags for network resources encryption \r\nunlocker Exclusion during encryption \r\nNetWalker Configuration Data\r\nBefore encrypting the victim's files, NetWalker deletes the Windows' Shadow Copies using the vssadmin.exe\r\ndelete shadows /all /quiet command. On some variants, the command is spawned by the executable of the\r\nransomware; on others, it is spawned by the PowerShell script which executes NetWalker:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-netwalker-ransomware\r\nPage 7 of 10\n\nNetWalker deleted shadow copies \r\nNext, the ransomware will start the encryption stage. NetWalker ransomware checks for valid drives in the system\r\nusing GetLogicalDriveStringsW. For network drives, the ransomware uses ImpersonateLoggedOnUser in an\r\nattempt to impersonate the context of the current user in order to access the remote drive. NetWalker then encrypts\r\nthe files on the network and local drive using Salsa20 encryption. After the files are encrypted, the ransom note is\r\nplaced. \r\nOn some variants, NetWalker also creates persistence via the run registry key and drops a copy of the ransomware\r\nto  C:\\Program Files\\random_generated_name\\random_generated_name.exe’ or ‘C:\\Program Files\r\n(x86)\\random_generated_name\\random_generated_name.exe’.\r\nNetWalker ransom note\r\nCYBEREASON DETECTION AND PREVENTION\r\nThe Cybereason Defense Platform is able to prevent the execution of NetWalker Ransomware using multi-layer\r\nprevention that detects and blocks malware with threat intelligence, machine learning, and Next-Gen AV (NGAV)\r\ncapabilities. Additionally, when the Anti-Ransomware feature is enabled, behavioral detection techniques in the\r\nplatform are able to detect and prevent any attempt to encrypt files and generates a MalopTM:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-netwalker-ransomware\r\nPage 8 of 10\n\nMalop triggered due to the malicious activity\r\nAdditionally, using Cybereason’s PowerShell protection feature, Cybereason is able to detect and prevent the\r\ninitial PowerShell infection stage of NetWalker:\r\nPowerShell protection blocks script which injects NetWalker\r\nMITRE ATT\u0026CK TECHNIQUES\r\nInitial\r\nAccess\r\nExecution Persistence\r\nPrivilege\r\nEscalation\r\nDefense\r\nEvasion\r\nLateral\r\nMovement\r\nImpact\r\nPhishing PowerShell\r\nRegistry\r\nRun Keys /\r\nStartup\r\nFolder\r\nAccess Token\r\nManipulation\r\nDynamic-link\r\nLibrary\r\nInjection\r\nTaint\r\nShared\r\nContent\r\nData\r\nEncrypted\r\nfor Impact\r\n  JavaScript/JScript          \r\nTom Fakterman \r\nTom Fakterman, Cyber Security Analyst with the Cybereason Nocturnus Research Team, specializes in protecting\r\ncritical networks and incident response. Tom has experience in researching malware, computer forensics and\r\nhttps://www.cybereason.com/blog/cybereason-vs.-netwalker-ransomware\r\nPage 9 of 10\n\ndeveloping scripts and tools for automated cyber investigations.\r\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government\r\nintelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing\r\nnew attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The\r\nCybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit\r\ncyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nSource: https://www.cybereason.com/blog/cybereason-vs.-netwalker-ransomware\r\nhttps://www.cybereason.com/blog/cybereason-vs.-netwalker-ransomware\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cybereason.com/blog/cybereason-vs.-netwalker-ransomware"
	],
	"report_names": [
		"cybereason-vs.-netwalker-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434639,
	"ts_updated_at": 1775826769,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bebfd582a7ec707b9788ddcc713b3b51465b1f87.pdf",
		"text": "https://archive.orkl.eu/bebfd582a7ec707b9788ddcc713b3b51465b1f87.txt",
		"img": "https://archive.orkl.eu/bebfd582a7ec707b9788ddcc713b3b51465b1f87.jpg"
	}
}