How the Nasty Netwalker Behaved in Past Few Months

NetWalker (aka Mailto) ransomware, developed and operated by a cybercrime group known as Circus Spider, has been active since mid-2019. Since the past few months, its operators are actively targeting victims, mostly in corporate networks.

Actor's top targets

Lately, the NetWalker operators targeted several enterprises running systems on Windows OS.

Modus operandi

  • The group behind this ransomware operates in a ransomware-as-a-service model and can quickly adapt according to recent situations (as they evidently took advantage of the coronavirus pandemic.)
  • In late July, the group was found exploiting CVE-2019-11510 and CVE-2019-18935 vulnerabilities.
  • Earlier in May, the group was observed to be using Reflective Dynamic-link Library (DLL) injection to infect victims.

Affiliations and partnerships

The cybercrime group behind this ransomware identified as Circus Spider, a financially motivated threat group. At the end of May, the ransomware group was reportedly inviting other criminals to become a partner in spreading the ransomware. They were giving preference to those who had cybercrime experience and access to corporate networks.

Key takeaways

Netwalker ransomware is using a double attack strategy, first encryption of data and then blackmailing victims to leak it publically. Experts suggest the most efficient way to avoid this threat is to stop the ransomware at the initial stage with adequate security measures, such as using secure email gateways, endpoint protection, and providing training to employees.