{
	"id": "67c916ba-c254-46e1-8816-acc7ec566252",
	"created_at": "2026-04-06T00:09:56.801243Z",
	"updated_at": "2026-04-10T03:24:29.358723Z",
	"deleted_at": null,
	"sha1_hash": "ee9c750e5293e4dbf5d5f3efb0e4c82dbfafac84",
	"title": "NetWalker Ransomware Report",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2285475,
	"plain_text": "NetWalker Ransomware Report\r\nArchived: 2026-04-05 12:58:21 UTC\r\nWritten by: Omer Solomon\r\nEXECUTIVE SUMMARY\r\nWith the world dealing with the Coronavirus crisis, cyber-criminals are taking advantage of the situation to spread\r\nnew variants of ransomware via Coronavirus phishing campaigns.\r\nThe newest of these variants is the NetWalker.\r\nHome-users, enterprises, government agencies and health organizations have reported to be attacked by\r\nNetWalker.\r\nTwo widely reported attacks using NetWalker were on the Toll Group, an Australian transportation and logistics\r\ncompany, and the Illinois Champaign-Urbana Public-Health District (CUPHD) website, which temporarily\r\nprevented health district employees from accessing certain files.\r\nThe attack forced the FBI and the U.S Department of Homeland Security step in, showing the severity of this\r\ncrisis and how important it is to be familiar with this variant in order to prevent further attacks.\r\nThis is part of an extensive series of guides about Ransomware Protection\r\nOverview of the NetWalker Payload \r\nNetWalker ransomware was discovered in August 2019, it was initially named Mailto based on the extension that\r\nwas appended to encrypted files, but analysis of one of its decryptors indicates that its name is NetWalker.\r\nNetWalker compromises the network and encrypts all Windows devices connected to it.\r\nWhen executed, NetWalker uses an embedded configuration that includes a ransom note, ransom note file names,\r\nand various configuration options.\r\nSo far, we have noticed that NetWalker spreads itself in two ways.\r\nOne way is via a VBS script that has been attached to Coronavirus phishing emails that execute the payload of the\r\nransomware once it’s double-clicked or by opening the office documents that contain the VBS script inside.\r\nThe second method occurs through an executable file that been spread on the network, and once it has been\r\nexecuted by the user, without the right guards in place, it is game over.\r\nNetWalker Meta-Data\r\nhttps://www.cynet.com/attack-techniques-hands-on/netwalker-ransomware-report/\r\nPage 1 of 14\n\nAs we see above, the file impostor claims to belong to ‘Microsoft’, pretending to be legitimate and safe.\r\nAnother indicator, is the high entropy levels this executable has. We can assume that the payload hides under the\r\n‘.rsrc’ and ‘reloc’ sections, which tells us that the attacker tries to evade traditional AV’s mechanism from\r\ndetecting this file by statically file scanning on the disk which is signature-based, by compressing the file with a\r\nunique format.\r\nhttps://www.cynet.com/attack-techniques-hands-on/netwalker-ransomware-report/\r\nPage 2 of 14\n\nAttack Flow\r\nOnce the file is executed, the following events flow will take place:\r\nProcess Hollowing Technique\r\nThe attacker uses a technique called Process hollowing to inject the payload into ‘explorer.exe’.\r\nProcess hollowing occurs when a process is created in a suspended state then its memory is unmapped and\r\nreplaced with malicious code.\r\nBelow we can see how the injection of the payload is located inside the explorer process.\r\nhttps://www.cynet.com/attack-techniques-hands-on/netwalker-ransomware-report/\r\nPage 3 of 14\n\nAfter the injection of the payload to the legitimate ‘explorer.exe’ process occurred it spawned a new instance of\r\n‘explorer.exe’ and the original executable process will be killed (58f13af3.exe). When a regular user looks at their\r\ntask manager, they won’t see a suspicious behavior since the payload hides under a legitimate process.\r\nAnother verification that we have for the payload injection to the explorer is the path, which is in ‘SysWOW64’\r\nwhile comparing to the real explorer process that is located in WINDOWS path we can relate that to the fact that\r\nthe malicious file is 32-bit and an instance of a 32bit explorer will run through the ‘SysWOW64’ folder if the\r\noperating system is 64-bit.\r\nBelow we can see the path of the legitimate explorer.exe process, this legitimate explorer runs from WINDOWS\r\nbecause it’s a 64 bit operation system like it should be.\r\nhttps://www.cynet.com/attack-techniques-hands-on/netwalker-ransomware-report/\r\nPage 4 of 14\n\nPersistency Technique\r\nIn order to maintain the persistency of the malicious file on the user’s host, the payload deletes the original\r\nexecutable from its location and drops it in the user ‘AppData\\Roaming\\’ folder and creates a registry key that will\r\nexecute the file every time the host will startup.\r\nThe reason that attackers like to drop the malicious files to the ‘AppData’ is that it’s a hidden path that a regular\r\nuser won’t notice that there is a malicious file in it, and you don’t have to have an administrator user to ‘write’  to\r\nthis path, regular users also have ‘write’ permissions.\r\nEncryption Technique\r\nSo far, we have seen the injection of the payload to the explorer and the persistency set to maintain the malware in\r\nthe system.\r\nThe next step we see is related to the encryption technique, most of the files on the host are being encrypted and\r\ntheir extensions are being changed to ‘mailto[knoocknoo@cock.li].[generated-file-name]’ .\r\nhttps://www.cynet.com/attack-techniques-hands-on/netwalker-ransomware-report/\r\nPage 5 of 14\n\nAfter we dig a little dipper to the payload, we found the config of the payload that contains the paths that will be\r\nexcluded from encryption and a list of processes that were meant to be terminated if they exist.\r\nFor example, if a user will have a Word document running while the malware is being executed, it will be\r\nterminated immediately to avoid any encryption interruption.\r\nhttps://www.cynet.com/attack-techniques-hands-on/netwalker-ransomware-report/\r\nPage 6 of 14\n\nsoftware’s\\processes that will be exclude from the encryption, for example:\r\n*\\program files*\\vmware, **windows defender**,*media player, etc.\r\nFiles extensions that will be exclude, for example:\r\n‘exe’, ‘msi’, ‘ps1’, ‘cmd’, etc.\r\nProcesses that will be killed to avoid interruption in the encryption:\r\nWordpad.exe, winword.exe outlook.exe, excel.exe, oracle.exe, ntrtscan.exe, *sql*, etc.\r\nThe exception of this path combined with the list of tasks to kill was meant to keep the functionality of the host\r\nwhile encrypting the relevant user files smoothly and allow the user to be able to pay the ransom.\r\nhttps://www.cynet.com/attack-techniques-hands-on/netwalker-ransomware-report/\r\nPage 7 of 14\n\nOnce the files encryption is complete, a ransom note with further instructions is being dropped in each folder that\r\ncontains encrypted files.\r\nThe note will include a unique code and two email addresses that belong to the attackers.\r\nObfuscation Technique\r\nWhen we dive into the payload memory strings to locate any signs that related to the ransomware note, we find\r\nobfuscated strings.\r\nAfter a deep lookup, we find the encoding type that our strings are encoded with – BASE64.\r\nhttps://www.cynet.com/attack-techniques-hands-on/netwalker-ransomware-report/\r\nPage 8 of 14\n\nThe ransomware note template after de-coding the strings with BASE64,\r\nAnd the variables that will be attached to the template that includes the attacker email addresses,\r\nErasing Backup Copies\r\nhttps://www.cynet.com/attack-techniques-hands-on/netwalker-ransomware-report/\r\nPage 9 of 14\n\nIn order to erase all of the backup copies in the host, an instance of ‘vssadmin.exe’ has been spawned both from\r\nthe first injected explorer and from the second instance that was spawned by the first one, both are running silently\r\nwith the same command in order to erase the volume shadow copies and preventing backup copies from\r\nrecovering.\r\nNetWalker Variants in the Field\r\nAnother common way this ransomware is being distributed in the field is by phishing emails that are related to\r\nCOVID-19 updates.\r\nAt the office, it’s common to be more aware of the kinds of emails coming through—there’s a certain vigilance\r\nabout opening suspicious emails or clicking unknown links.  At home, though, remote employees may let their\r\nguard down.\r\nThe attack flow starts with an email that contains an attachment that supposed to include updates and information\r\nregarding COVID-19, one of the most common ways is through an Office document such as ‘Word’ or ‘Excel’\r\nthat contains macros (series of commands and instructions that you group together as a single command to\r\naccomplish a task automatically) that will execute the ‘VBS’ script.\r\nhttps://www.cynet.com/attack-techniques-hands-on/netwalker-ransomware-report/\r\nPage 10 of 14\n\nDouble-clicking the masquerading file or opening the malicious Office document will start executing the payload\r\nby using ‘wscript.exe’ which is a service that provides scripting abilities for Windows operating system.\r\nA new executable file will be dropped by the name ‘qwSw.exe’ in the user temporary directory\r\n‘AppData/local/temp’, and will be executed.\r\nOnce the executable file is running, the following steps will occur:\r\nA registry key will be set to maintain persistency of the payload on the host in the following:\r\n‘HKLM/software/’ and ‘HKCU/software/’\r\nAll of the files will be encrypted and their extensions will be changed except for the files the attacker\r\nexclude in order to allow the host to be functional.\r\nVssadmin.exe service will be launched to delete shadow copies of the user backups so files won’t be\r\nrestored.\r\nA ransom note will be dropped in several locations on the host with instructions.\r\nVariants Comparison\r\nWe see two main techniques that evolve different attack flows which will eventually lead to the same result:\r\ndemanding money to recover your data.\r\nA process hollowing doesn’t occur when the VBS script is executed as compared to the ‘EXE’ file.\r\nThe location of the created registry keys is a bit different, the VBS payload was able to set a registry key in the\r\n‘HKCU’ and ‘HKLM’ which includes the entire machine compared to the executable which was able to reach the\r\n‘HKCU’ – current user only.\r\nThe rest of the events are pretty much the same.\r\nCynet VS NetWalker\r\nCynet detects and prevents this attack by using several mechanisms:\r\nAnti-Virus/AI – This alert triggers when Cynet’s AV/AI engine detects a malicious file that was dumped on\r\nthe disk.\r\nhttps://www.cynet.com/attack-techniques-hands-on/netwalker-ransomware-report/\r\nPage 11 of 14\n\nADT – Ransomware Heuristic – This alert triggers when Cynet detects suspicious behavior which can be\r\nassociated with Ransomware (such as an attempt to delete shadow copies.)\r\n \r\nADT – Malicious Binary – This alert triggers when Cynet detects a file that is flagged as malicious in\r\nCynet’s endpoint scanner built-in threat intelligence database.\r\nhttps://www.cynet.com/attack-techniques-hands-on/netwalker-ransomware-report/\r\nPage 12 of 14\n\nMemory Pattern – This alert triggers when Cynet detects memory strings which are associated with\r\nMalware or with malicious files.\r\nRECOMMENDATIONS\r\nIn order to clean up an infected host, it crucial to revert each of the steps taken by the payload of the attack.\r\nBe aware of phishing emails that contain an attachments\r\nClean the Registry for any of the manipulated values (once infected).\r\nDelete the malicious file from the paths mentioned under (once infected).\r\nBlacklist the SHA256 of the ransomware.\r\nEnabling the heuristic, AV and driver mechanisms.\r\nIf necessary – format the host and install a clean version of Windows (once infected).\r\nhttps://www.cynet.com/attack-techniques-hands-on/netwalker-ransomware-report/\r\nPage 13 of 14\n\nINDICATORS OF COMPROMISE\r\nType Indicator\r\nRegistry Keys\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\56f13af3[1]\r\nHKCU\\software\\56f13af3\\56f13af3[1]\r\nHKCU\\software\\classes\\virtualstore\\machine\\software\\\r\n1.     “56f13af3” – 8 Randomized characters.\r\nPayload instance locations\r\nC:\\User\\AppData\\Local\\Temp\\****.exe\r\nC:\\User\\AppData\\Roaming\\****\\****.exe\r\nRansom note names {ID} – Readme.txt (e.g. 58f13-Readme.txt)\r\nEmails related to the attacker\r\n{Random}@cock.li\r\n{Random}@tuta.io\r\nSHA256’s for example\r\nad8d379a4431cabd079a1c34add903451e11f06652fe28d3f3edb6c469c43893\r\nf69fb7049f7a75f75c3a6bba86741b8ccdd28dbf7fe65bc0c7700c3905447512\r\nd950a94534129202aa308f22d6c3d33f71af884d5556671a2b7f6ba8994cc995\r\n1f327163478eff3a64a7af170098c10a482df67fd9454b5f64078be516b200f1\r\n9f9027b5db5c408ee43ef2a7c7dd1aecbdb244ef6b16d9aafb599e8c40368967\r\n8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160\r\nc414bbb789af8e3fb93b33344b31f1991582ec0f06558b29a3178d2b02465c72\r\nde04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d\r\nSource: https://www.cynet.com/attack-techniques-hands-on/netwalker-ransomware-report/\r\nhttps://www.cynet.com/attack-techniques-hands-on/netwalker-ransomware-report/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.cynet.com/attack-techniques-hands-on/netwalker-ransomware-report/"
	],
	"report_names": [
		"netwalker-ransomware-report"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434196,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ee9c750e5293e4dbf5d5f3efb0e4c82dbfafac84.pdf",
		"text": "https://archive.orkl.eu/ee9c750e5293e4dbf5d5f3efb0e4c82dbfafac84.txt",
		"img": "https://archive.orkl.eu/ee9c750e5293e4dbf5d5f3efb0e4c82dbfafac84.jpg"
	}
}