{ "id": "d93f2307-cc0f-43a0-b229-c3e43508cbed", "created_at": "2026-04-06T00:09:37.029025Z", "updated_at": "2026-04-10T03:35:43.298657Z", "deleted_at": null, "sha1_hash": "de709b58d88843e1ac68fddca05353dff75e7732", "title": "Netwalker Ransomware Guide: Everything You Need to Know", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1743487, "plain_text": "Netwalker Ransomware Guide: Everything You Need to Know\r\nBy Nathan Coppinger\r\nPublished: 2020-11-17 · Archived: 2026-04-05 16:40:55 UTC\r\nEmotet, Trickbot, Maze, Ryuk, and now Netwalker ransomware— cybercrime has increased exponentially in the\r\nlast year. Ransomware has been a serious plight across industries big and small, public and private, with no sign of\r\nletting up.\r\nIn 2019 alone, attackers extorted an estimated $11.5 billion from their victims, up from $8B in 2018. Experts\r\nestimate that the cost of ransomware attacks will increase by nearly 100% to $20B by 2021. Netwalker (aka\r\nMailto) has cashed in over $30M in ransoms since their first significant attacks in March.\r\nGet a Free Data Risk Assessment\r\nWhat is Netwalker Ransomware?\r\nThe Netwalker ransomware is a fast-growing ransomware, created by the cybercrime group known as ‘Circus\r\nSpider’ in 2019. Circus Spider is one of the newer members of the ‘Mummy Spider’ cybercriminal group. On the\r\nsurface, Netwalker acts like most other ransomware variants, establishing an initial foothold through phishing\r\nemails, followed by exfiltrating and encrypting sensitive data to hold hostage for a large ransom.\r\nUnfortunately, Netwalker does more than hold the victims’ data hostage. To show they are serious, Circus Spider\r\nwill leak a sample of the stolen data online, claiming that if the victim does not meet their demands in time, they\r\nwill release the rest on the dark web. Circus Spider leaked one victim’s sensitive data onto the dark web in a\r\npassword-protected folder and published the key online.\r\nNetwalker Ransomware Adopts a RaaS Model\r\nIn March of 2020, Circus Spider decided that they wanted Netwalker to become a household name, so they\r\ndecided to expand their affiliate network, much like the Maze ransomware gang. Shifting to a ransomware-as-a-service (RaaS) model allowed them to operate on a much larger scale, target more organizations, and increase the\r\nsize of their ransoms.\r\nRaaS involves recruiting affiliates to help cybercriminal groups execute nefarious activities. As mentioned above,\r\nNetwalker started gaining momentum with a few big scores. However, they were still relatively small compared to\r\nthe other big-time ransomware gangs… until they adopted a RaaS model.\r\nTo gain the (dis)honor of joining their small band of criminals, Circus Spider posted a specific set of criteria\r\nrequired, or a criminal job posting if you please.\r\nTheir main criteria for affiliates consist of:\r\nExperience in networks\r\nhttps://www.varonis.com/blog/netwalker-ransomware/\r\nPage 1 of 12\n\nSpeaks Russian (specifically, they do not accept English speakers)\r\nThey will not train inexperienced users\r\nConsistent access to quality targets\r\nProof of experience\r\nThe Sodinokibi/REvil ransomware gang is looking for partners specialized in network attacks\r\npic.twitter.com/m3lYN5qk8t\r\n— Catalin Cimpanu (@campuscodi) April 19, 2020\r\n…and now, the Netwalker (Mailto) ransomware gang is also looking for two partners specialized in\r\nnetwork attacks\r\nTrend for ransomware attacks/intrusions is pretty obvious these days. Gangs moving away from spear-phishing to targeting internet-exposed RDPs and servers. pic.twitter.com/VKWl9Q0vaa\r\n— Catalin Cimpanu (@campuscodi) April 29, 2020\r\nTo attract the best prospects possible, Circus Spider published a list of features that their new partners, if chosen,\r\nwill be granted access to.\r\nThese include:\r\nFully automatic TOR chat Panel\r\nObserver rights\r\nWorks on all Windows devices from windows 2000 up\r\nFast multi-thread locker\r\nFast and flexible locker settings\r\nUnlocker processes\r\nAdjacent network encryption\r\nUnique PowerShell builds making it easier to deal with antivirus software\r\nInstant payouts\r\nWho and What Does Netwalker Ransomware Target?\r\nSince their first big score in March, there has been an uptick in Netwalker ransomware attacks, primarily targeting\r\nhealthcare and education institutions. They carried out one of their more publicized against a large university that\r\nspecializes in medical research. This university had their sensitive data stolen by the ransomware, and to show that\r\nhttps://www.varonis.com/blog/netwalker-ransomware/\r\nPage 2 of 12\n\nthey weren’t playing around, the attackers leaked a sample of the data they had stolen. This data included student\r\napplications containing information such as social security numbers and other sensitive data. This breach led to\r\nthe victim paying their attackers a $1.14M ransom to decrypt their data.\r\nThere has been a big push by Netwalker attackers to capitalize on the chaos of COVID-19 by sending out\r\npandemic-related phishing emails and targeting healthcare institutions that are already overwhelmed by the\r\npandemic. One of the first healthcare victims had their site taken down by the ransomware just as the public began\r\nto turn to them for advice during the pandemic. This attack forced them to launch a second site and route users to\r\nthe new one, causing distress and confusion for everyone involved. As the year went on, Netwalker and other\r\nransomware groups continued to target healthcare institutions, particularly because they tend to have understaffed\r\nIT departments and are focused more heavily on other areas of their organizations.\r\nIn addition to healthcare and education, Netwalker targets various other industries including:\r\nManufacturing\r\nBusiness management solutions\r\nCustomer experience management\r\nElectromobility and battery solutions\r\nEducation\r\nAnd many more\r\nHow Does Netwalker Work? \r\nhttps://www.varonis.com/blog/netwalker-ransomware/\r\nPage 3 of 12\n\nStep 1: Phishing and Infiltration\r\nNetwalker relies heavily on phishing and spear-phishing as their method of infiltration.  As per the norm of\r\nphishing campaigns, Netwalker will often send out emails that appear like they were sent from legitimate sources\r\nto trap victims in their web. Commonly Netwalker will attach a VBS script named “CORONAVIRUS_COVID-19.vbs” that will execute the ransomware when they double-click the email or open the attached word document\r\nthat contains the malicious script.\r\nhttps://www.varonis.com/blog/netwalker-ransomware/\r\nPage 4 of 12\n\n(VBS Script)\r\nStep 2: Data Exfiltration and Encryption\r\nIf the script opens and runs on your system, then Netwalker has officially begun to burrow into your network, and\r\nthe countdown to encryption begins. Once in your system, the ransomware will morph into a legitimate-looking\r\nprocess, usually in the form of a Microsoft executable. It achieves this by removing the code from an executable\r\nand injecting its own malicious code into it to access process.exe. This method is known as process hollowing.\r\nProcess hollowing gives the ransomware plenty of time to work its way through the network unseen— exfiltrating\r\nand encrypting data, deleting back-ups, and leaving backdoors before anyone notices anything is wrong.\r\nStep 3: Data Extortion and Recovery (or Loss)\r\nOnce Netwalker has finished exfiltrating and encrypting data, the victim will have noticed something is terribly\r\nwrong and find the dreaded ransom note. Netwalker’s ransom note is relatively standard, laying out what has just\r\noccurred and what needs to happen next if the user wants their data returned safely. Circus Spider will then\r\ndemand a set amount of money to be paid in Bitcoins, using a TOR browser portal.\r\nhttps://www.varonis.com/blog/netwalker-ransomware/\r\nPage 5 of 12\n\n(Source)\r\nOnce their victims meet their demands, they grant them access to their custom decryption tool to safely decrypt\r\ntheir data. Circus Spider will increase their ransom and/or release some of or all the stolen data onto the dark web\r\nif they do not meet their demands in time.\r\nBelow is a diagram of Netwalker’s specific attack path\r\nhttps://www.varonis.com/blog/netwalker-ransomware/\r\nPage 6 of 12\n\n(source)\r\nTips on Protecting Yourself From Netwalker Ransomware\r\nNetwalker continues to become more sophisticated and harder to defend against, mainly as they grow their\r\naffiliate network, and it is imperative to take steps to protect yourself. Netwalker has done enough damage to\r\ncatch the U.S. government’s eye, and the FBI’s cybercrime division released a Flash warning, TLP: White,\r\nadvising organizations to be on the lookout for malicious phishing emails related to the pandemic.\r\nThe FBI has recommended the following mitigation procedures:\r\nBack-up critical data offline.\r\nEnsure copies of critical data are in the cloud or on an external hard drive or storage device.\r\nSecure your back-ups and ensure data is not accessible for modification or deletion from the system where\r\nthe data resides.\r\nInstall and regularly update anti-virus or anti-malware software on all hosts.\r\nOnly use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.\r\nUse two-factor authentication with strong passwords.\r\nKeep computers, devices, and applications patched and up to date. Netwalker, like other ransomware, takes\r\nadvantage of vulnerabilities in your systems and infrastructure to take control of the users’ computers and\r\nentire networks and holds your data hostage until you pay their ransom.\r\nhttps://www.varonis.com/blog/netwalker-ransomware/\r\nPage 7 of 12\n\nWhile these procedures will help mitigate the damage done by the ransomware once it has infected your system, it\r\nis still just that, mitigation. Proactively performing these procedures will help prevent the spread and reduce the\r\nransomware’s damage once it has infiltrated your system. But prevention education will be a powerful weapon in\r\nthe war against Netwalker.\r\nDon’t Get Caught on This Phishing Trip\r\nBecause Netwalker mainly uses phishing attacks with malicious links and executables to infect systems, educating\r\nyour organization on the dangers of phishing campaigns and what to look for to filter out suspicious emails is\r\nimperative to the safety and protection of your sensitive data. Requiring regular data security training is an\r\nexcellent prevention method and helps your organization learn the signs of malicious emails. Here are some things\r\nto check anytime you receive an email asking you to click a link, download a file, or share your credentials.\r\nDouble-check the name and domain the email is from\r\nCheck for obvious spelling errors in the subject and body\r\nDo not share credentials—legitimate senders will never ask for them\r\nDo not open any attachments or download any suspicious links\r\nReport suspicious emails to whoever handles your IT security\r\nTo ensure that your social engineering education made an impact on your security measures, we also recommend\r\nrunning attack simulations. Sending out fake phishing emails to your organization is a great way to gauge your\r\nsecurity training’s success and pinpoint who might need a little extra help in the matter. Track metrics on user\r\nhttps://www.varonis.com/blog/netwalker-ransomware/\r\nPage 8 of 12\n\ninteractions to see who interacts with any of the links or attachments, gives out their credentials or, reports it to\r\nyour organization’s proper authorities.\r\nHow Varonis Can Help\r\nEducating your organization on ransomware-related phishing attacks is a great help in protecting your sensitive\r\ndata. But taking your defenses a step further with proactive threat detection and data security can limit your\r\nexposure to damaging consequences even further.\r\nProtect Yourself with Behavior-Based Threat Detection\r\nVaronis can alert you to early signs of compromise by ransomware gangs with behavior-based threat models for\r\neach phase of the kill chain. We build users’ profiles across multiple platforms, combining subtle deviations in\r\nemail behavior with suspicious logon events, network connections, and data access. These unique combinations\r\nhelp us catch threats other security solutions miss and result in few false positives.\r\nVaronis can detect phishing attempts by monitoring Microsoft Exchange and Exchange Online mailboxes for\r\nmalicious file attachments that match a dictionary of known patterns used in standard ransomware spam\r\ntemplates.\r\nWith Edge’s proxy-based detections, customers can also detect when a user downloads an attachment or clicks on\r\na link within the body of an email that results in a malicious Netwalker loader download.\r\nhttps://www.varonis.com/blog/netwalker-ransomware/\r\nPage 9 of 12\n\nIf a compromised user account begins accessing sensitive data, Varonis’ behavior-based threat detection will be on\r\ntop of it. Varonis uses multiple behavior models to learn how specific users access data regularly and can detect\r\nwhen that user starts to access an unusual amount of data compared to their normal behavior. Varonis can\r\ndifferentiate between manual and automated actions and catch if a user begins to exfiltrate and encrypt files in an\r\nabnormal manner, stopping the ransomware in its tracks. Many customers automate responses to this kind of\r\nbehavior, disabling the account, and killing active connections.\r\nBy watching file system activity, Varonis quickly detects when ransomware saves known penetration tools to disk\r\n(a common Netwalker tactic), or when a user searches file shares for files containing passwords or other sensitive\r\ndata. Any given user account typically has access to far more data than they should, so these searches are\r\nfrequently fruitful – more on mitigating this below.\r\nhttps://www.varonis.com/blog/netwalker-ransomware/\r\nPage 10 of 12\n\nGet to Least Privilege and Reduce Your Attack Surface\r\nHaving the right detection in place is a crucial step toward protecting your organization from ransomware. Equally\r\nimportant, however, is ensuring that if ransomware does evade initial detection, its impact is minimal.\r\nOrganizations can do this by minimizing the data they have exposed, thereby limiting the data that can be\r\nencrypted or stolen. Varonis reveals where data is overly accessible and automates processes to lock it down so\r\nyou can not only limit your attack surface but also limit the damage a ransomware infection can do.\r\nStay Alert and on Top of Things… Time is of The Essence\r\nIf you suspect that you have been a victim of the Netwalker Ransomware, act quickly. Run a query for all the file\r\naccesses and modifications made by any user over any period of time to pinpoint affected files and restore the\r\nhttps://www.varonis.com/blog/netwalker-ransomware/\r\nPage 11 of 12\n\ncorrect versions. You can also call on our world-class Incident Response Team for help investigating an incident\r\nfor free.\r\nHarden Your Defenses– Get a Free Ransomware Preparedness Assessment\r\nRansomware has become more sophisticated and harder to detect. Organizations need to proactively limit their\r\nattack surface and put in place effective detection methods to stay ahead. Varonis has extensive experience in\r\ndetecting and preventing ransomware infections. To see where you might be vulnerable and gauge your readiness\r\nfor a potential attack, sign up for a free ransomware preparedness assessment. We’ll provide you with a detailed\r\nreport customized to your environment and can discuss remediation steps you can take to better protect your\r\norganization from a damaging attack.\r\nSource: https://www.varonis.com/blog/netwalker-ransomware/\r\nhttps://www.varonis.com/blog/netwalker-ransomware/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.varonis.com/blog/netwalker-ransomware/" ], "report_names": [ "netwalker-ransomware" ], "threat_actors": [ { "id": "53201ab8-30d2-4722-816e-f914604e78df", "created_at": "2022-10-25T16:07:23.466825Z", "updated_at": "2026-04-10T02:00:04.620188Z", "deleted_at": null, "main_name": "Circus Spider", "aliases": [], "source_name": "ETDA:Circus Spider", "tools": [ "Koko Ransomware", "MailTo", "NetWalker" ], "source_id": "ETDA", "reports": null }, { "id": "e8e18067-f64b-4e54-9493-6d450b7d40df", "created_at": "2022-10-25T16:07:24.515213Z", "updated_at": "2026-04-10T02:00:05.018868Z", "deleted_at": null, "main_name": "Mummy Spider", "aliases": [ "ATK 104", "Gold Crestwood", "Mummy Spider", "TA542" ], "source_name": "ETDA:Mummy Spider", "tools": [ "Emotet", "Geodo", "Heodo" ], "source_id": "ETDA", "reports": null }, { "id": "373d61cc-32a0-4c0c-b48b-ff9e3f1357ac", "created_at": "2023-01-06T13:46:39.222456Z", "updated_at": "2026-04-10T02:00:03.250483Z", "deleted_at": null, "main_name": "CIRCUS SPIDER", "aliases": [], "source_name": "MISPGALAXY:CIRCUS SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40", "created_at": "2023-01-06T13:46:38.870883Z", "updated_at": "2026-04-10T02:00:03.128317Z", "deleted_at": null, "main_name": "MUMMY SPIDER", "aliases": [ "TA542", "GOLD CRESTWOOD" ], "source_name": "MISPGALAXY:MUMMY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9", "created_at": "2024-06-19T02:03:08.024653Z", "updated_at": "2026-04-10T02:00:03.672512Z", "deleted_at": null, "main_name": "GOLD CRESTWOOD", "aliases": [ "Mummy Spider ", "TA542 " ], "source_name": "Secureworks:GOLD CRESTWOOD", "tools": [ "Emotet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434177, "ts_updated_at": 1775792143, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/de709b58d88843e1ac68fddca05353dff75e7732.pdf", "text": "https://archive.orkl.eu/de709b58d88843e1ac68fddca05353dff75e7732.txt", "img": "https://archive.orkl.eu/de709b58d88843e1ac68fddca05353dff75e7732.jpg" } }