{ "id": "4e08e339-f0ff-4b06-8d29-27fde5709cba", "created_at": "2026-04-06T00:08:47.726762Z", "updated_at": "2026-04-10T13:12:37.282294Z", "deleted_at": null, "sha1_hash": "fdae41dd837c616e0e729cc13319cbd802a2713e", "title": "Ransomware Threat Assessments: A Companion to the 2021 Unit 42 Ransomware Threat Report", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1607643, "plain_text": "Ransomware Threat Assessments: A Companion to the 2021 Unit\r\n42 Ransomware Threat Report\r\nBy Unit 42\r\nPublished: 2021-03-17 · Archived: 2026-04-02 12:30:25 UTC\r\nThreat Assessment: NetWalker Ransomware\r\nExecutive Summary\r\nNetWalker ransomware was first observed in August 2019 and was originally called Mailto by the security\r\ncommunity because the encrypted files were changed to a .mailto extension. After analysis of a decryption tool,\r\nprovided by developers after payment, the true name given by its developers was found to be NetWalker. At the\r\ntime, it was a commodity threat, meaning it would be distributed via mass spam campaigns not taking into\r\nconsideration who their victims would be.\r\nA cybercrime group called Circus Spider, which is believed to be of Russian origin, created this ransomware.\r\nNetWalker has become a considerable threat to corporate victims in particular due to not only encrypting data but\r\nthreatening to publicly release sensitive data stolen during encryption.\r\nNetWalker Ransomware Overview\r\nIn March 2020, NetWalker shifted to a ransomware-as-a-service (RaaS) model, and the Circus Spider group began\r\nlooking for affiliates to propagate their malware. Affiliate attackers would be responsible for propagating the\r\nhttps://unit42.paloaltonetworks.com/ransomware-threat-assessments/2/\r\nPage 1 of 7\n\nmalware and would receive a percentage of the ransom collected in return. Circus Spider sought affiliates who met\r\nthe following requirements:\r\nSpeak Russian.\r\nExperience with Red Team skills.\r\nProof of experience.\r\nCircus Spider wanted their affiliates to take a more targeted approach toward larger and higher paying victims\r\nwith their malware. Victims have been reported to include hospitals, educational institutions and local\r\ngovernments. NetWalker often capitalizes on current events as part of their decoys. Since early 2020, several\r\ngroups leveraging NetWalker have used COVID-19 themed phishing emails to target and compromise a number\r\nof hospitals, as well as a university that specializes in medical research.\r\nFigure 1. NetWalker ransom note (source: Any.Run).\r\nAs part of RaaS, affiliates would target victims in one of several different methods. The following methods are the\r\nmost commonly observed:\r\nPhishing emails with attached malicious files, like VBScript or PowerShell.\r\nExposed or vulnerable Remote Desktop Protocol (RDP) services.\r\nEXE files.\r\nOnce in victims’ networks, affiliates often target and gather high-value data such as personally identifiable\r\ninformation (PII) or company-specific data. This data is then copied and exfiltrated before encrypting. Figure 1\r\nshows a sample NetWalker ransom note. Actors behind NetWalker often also attempt to dump credentials and\r\nlaterally move to other hosts, with the aim of compromising additional victims.\r\nThe exfiltrated data will be posted to a specific leak site that the NetWalker operators manage – similar to the\r\napproach used by many ransomware operators. Victims would then be on a countdown to pay ransom, with the\r\nprice demanded increasing as the countdown decreases.\r\nhttps://unit42.paloaltonetworks.com/ransomware-threat-assessments/2/\r\nPage 2 of 7\n\nFigure 2. NetWalker leak site (source: ZDNet).\r\nIn 2020, Palo Alto Networks observed Netwalker victims in the government, healthcare, manufacturing,\r\ntransportation and logistics, and energy sectors. Victim locations span nearly every continent, with countries\r\nincluding US, Canada, Saudi Arabia, France, Germany, Australia, New Zealand, Sweden, Pakistan, India,\r\nThailand, UK, United Arab Emirates, Colombia, and South Africa.\r\nIn early 2021, authorities attempted a takedown of the NetWalker ransomware. This included an arrest,\r\nconfiscation of funds and seizure of the leak website, seen in the NetWalker leak site image above, where victims’\r\ndata is uploaded pending full release. It remains to be seen how effective these law enforcement actions will be in\r\nstopping Circus Spider developers, but it is a hopeful step in the direction of stopping and possibly prosecuting\r\nthese actors.\r\nMore information on NetWalker victimology can be found in the 2021 Unit 42 Ransomware Threat Report.\r\nCourses of Action\r\nThis section documents relevant tactics, techniques and procedures (TTPs) used with NetWalker and maps them\r\ndirectly to Palo Alto Networks product(s) and service(s). It also further instructs customers on how to ensure their\r\ndevices are configured correctly.\r\nProduct / Service Course of Action\r\nInitial Access, Execution, Command and Control, Lateral Movement, Defense Evasion, Persistence,\r\nPrivilege Escalation, Credential Access, Collection, Discovery\r\nThe below courses of action mitigate the following techniques:\r\nExploit Public-Facing Application [T1190], Windows Management Instrumentation [T1047], Ingress\r\nTool Transfer [T1105], Spearphishing Attachment [T1566.001], Valid Accounts [T1078], Lateral Tool\r\nTransfer [T1570], PowerShell [T1059.001], Visual Basic [T1059.005], Obfuscated Files or Information\r\n[T1027], Deobfuscate/Decode Files or Information [T1140], Service Execution [T1569.002], Windows\r\nhttps://unit42.paloaltonetworks.com/ransomware-threat-assessments/2/\r\nPage 3 of 7\n\nCommand Shell [T1059.003], Registry Run Keys / Startup Folder [T1547.001], Dynamic-link Library\r\nInjection [T1055.001], OS Credential Dumping [T1003], Data from Local System [T1005], Modify\r\nRegistry [T1112], File and Directory Discovery [T1083]\r\nNGFW\r\nEnsure application security policies exist when allowing traffic from an untrusted zone\r\nto a more trusted zone\r\nEnsure 'Service setting of ANY' in a security policy allowing traffic does not exist\r\nEnsure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat\r\nIntelligence Sources exists\r\nSet up File Blocking\r\nEnsure that User-ID is only enabled for internal trusted interfaces\r\nEnsure that 'Include/Exclude Networks' is used if User-ID is enabled\r\nEnsure that the User-ID Agent has minimal permissions if User-ID is enabled\r\nEnsure that the User-ID service account does not have interactive logon rights\r\nEnsure remote access capabilities for the User-ID service account are forbidden\r\nEnsure that security policies restrict User-ID Agent traffic from crossing into untrusted\r\nzones\r\nEnsure 'SSL Forward Proxy Policy' for traffic destined to the internet is configured\r\nEnsure 'SSL Inbound Inspection' is required for all untrusted traffic destined for\r\nservers using SSL or TLS\r\nEnsure that the certificate used for Decryption is trusted\r\nThreat Prevention† Ensure a Vulnerability Protection Profile is set to block attacks against critical and\r\nhigh vulnerabilities, and set to default on medium, low and informational\r\nvulnerabilities\r\nEnsure a secure Vulnerability Protection Profile is applied to all security rules allowing\r\ntraffic\r\nEnsure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'\r\nEnsure a secure antivirus profile is applied to all relevant security policies\r\nEnsure an anti-spyware profile is configured to block on all spyware severity levels,\r\ncategories and threats\r\nEnsure DNS sinkholing is configured on all anti-spyware profiles in use\r\nhttps://unit42.paloaltonetworks.com/ransomware-threat-assessments/2/\r\nPage 4 of 7\n\nEnsure passive DNS monitoring is set to enabled on all anti-spyware profiles in use\r\nEnsure a secure anti-spyware profile is applied to all security policies permitting traffic\r\nto the internet\r\nEnsure that all zones have Zone Protection Profiles with all Reconnaissance Protection\r\nsettings enabled, tuned and set to appropriate actions\r\nURL Filtering†\r\nEnsure that PAN-DB URL Filtering is used\r\nEnsure that URL Filtering uses the action of ‘block’ or ‘override’ on the \u003centerprise\r\napproved value\u003e URL categories\r\nEnsure that access to every URL is logged\r\nEnsure all HTTP Header Logging options are enabled\r\nEnsure secure URL filtering is enabled for all security policies allowing traffic to the\r\ninternet\r\nWildFire†\r\nEnsure that WildFire file size upload limits are maximized\r\nEnsure forwarding is enabled for all applications and file types in WildFire file\r\nblocking profiles\r\nEnsure a WildFire Analysis profile is enabled for all security policies\r\nEnsure forwarding of decrypted content to WildFire is enabled\r\nEnsure all WildFire session information settings are enabled\r\nEnsure alerts are enabled for malicious files detected by WildFire\r\nEnsure 'WildFire Update Schedule' is set to download and install updates every minute\r\nCortex XSOAR Deploy XSOAR Playbook Cortex XDR - Isolate Endpoint\r\nDeploy XSOAR Playbook - Block IP\r\nDeploy XSOAR Playbook - Block URL\r\nDeploy XSOAR Playbook - Hunting and Threat Detection Playbook\r\nDeploy XSOAR Playbook - PAN-OS Query Logs for Indicators\r\nDeploy XSOAR Playbook - Phishing Investigation - Generic V2\r\nDeploy XSOAR Playbook - Endpoint Malware Investigation\r\nDeploy XSOAR Playbook - Access Investigation Playbook\r\nhttps://unit42.paloaltonetworks.com/ransomware-threat-assessments/2/\r\nPage 5 of 7\n\nDeploy XSOAR Playbook - Impossible Traveler\r\nCortex XDR\r\nEnable Anti-Exploit Protection\r\nEnable Anti-Malware Protection\r\nConfigure Behavioral Threat Protection under the Malware Security Profile\r\nConfigure Restrictions Security Profile\r\nConfigure Malware Security Profile\r\nCredential Access\r\nThe below courses of action mitigate the following techniques:\r\nBrute Force [T1110]\r\nNGFW Customize the action and trigger conditions for a Brute Force Signature\r\nCortex XSOAR Deploy XSOAR Playbook - Brute Force Investigation Playbook\r\nImpact\r\nThe below courses of action mitigate the following techniques:\r\nData Encrypted for Impact [T1486], Inhibit System Recovery [T1490]\r\nCortex XSOAR\r\nDeploy XSOAR Playbook - Ransomware Manual for incident response\r\nDeploy XSOAR Playbook - Palo Alto Networks Endpoint Malware Investigation\r\nTable 1. Courses of Action for Netwalker ransomware.\r\n†These capabilities are part of the NGFW security subscriptions service.\r\nConclusion\r\nWhile the concept of an attacker leveraging ransomware affiliate programs is not new, the actors behind\r\nNetWalker performed a certain level of vetting prior to the acceptance of new affiliates, which illustrates a higher\r\nlevel of effort than has been observed from other groups and actors. Their specific requirements – Russian-speaking candidates with demonstrated Red Team skills to attack and successfully compromise victims – allude to\r\nthe relative sophistication of the actors. By recruiting skilled individuals as affiliates, the actors appear to be\r\nlooking for larger payouts in more targeted campaigns against victim organizations.\r\nThe actors behind NetWalker aren’t the only group to move toward finding more skilled affiliates with an eye\r\ntoward targeting larger organizations with higher potential for ransom payouts. In light of this, it’s important for\r\nenterprises to employ both robust defensive technologies and capable cybersecurity expertise in their\r\nenvironments.\r\nPalo Alto Networks detects and prevents NetWalker in the following ways:\r\nhttps://unit42.paloaltonetworks.com/ransomware-threat-assessments/2/\r\nPage 6 of 7\n\nWildFire: All known samples are identified as malware.\r\nCortex XDR with:\r\nIndicators for NetWalker.\r\nAnti-Ransomware Module to detect NetWalker encryption behaviors.\r\nLocal Analysis detection for NetWalker binaries.\r\nNext-Generation Firewalls: DNS Signatures detect the known NetWalker command and control (C2)\r\ndomains, which are also categorized as malware in URL Filtering.\r\nAutoFocus: Tracking related activity using the NetWalker tag, originally known as Mailto.\r\nAdditionally, Indicators of Compromise (IoCs) associated with NetWalker are available on GitHub, and have been\r\npublished to the Unit 42 TAXII feed.\r\nAdditional Resources\r\nDepartment of Justice Launches Global Action Against NetWalker Ransomware\r\nHere's a list of all the ransomware gangs who will steal and leak your data if you don't pay\r\nNetWalker Ransomware Group Enters Advanced Targeting “Game”\r\nNetwalker Ransomware Explained: What You Need to Know [Updated]\r\nTake a “NetWalk” on the Wild Side\r\nContinue Reading: Zeppelin\r\nBack to Top\r\nSource: https://unit42.paloaltonetworks.com/ransomware-threat-assessments/2/\r\nhttps://unit42.paloaltonetworks.com/ransomware-threat-assessments/2/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/ransomware-threat-assessments/2/" ], "report_names": [ "2" ], "threat_actors": [ { "id": "53201ab8-30d2-4722-816e-f914604e78df", "created_at": "2022-10-25T16:07:23.466825Z", "updated_at": "2026-04-10T02:00:04.620188Z", "deleted_at": null, "main_name": "Circus Spider", "aliases": [], "source_name": "ETDA:Circus Spider", "tools": [ "Koko Ransomware", "MailTo", "NetWalker" ], "source_id": "ETDA", "reports": null }, { "id": "373d61cc-32a0-4c0c-b48b-ff9e3f1357ac", "created_at": "2023-01-06T13:46:39.222456Z", "updated_at": "2026-04-10T02:00:03.250483Z", "deleted_at": null, "main_name": "CIRCUS SPIDER", "aliases": [], "source_name": "MISPGALAXY:CIRCUS SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434127, "ts_updated_at": 1775826757, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fdae41dd837c616e0e729cc13319cbd802a2713e.pdf", "text": "https://archive.orkl.eu/fdae41dd837c616e0e729cc13319cbd802a2713e.txt", "img": "https://archive.orkl.eu/fdae41dd837c616e0e729cc13319cbd802a2713e.jpg" } }