Netwalker is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on September 1, 2019, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Mailto, Koko, NetWalker Doxware.
Quick Facts
Ransomware Family
Netwalker
First Seen
September 1, 2019
Known Aliases
MailtoKokoNetWalker Doxware
How Netwalker Ransomware Works
Targeted Files
Encrypts first 0xC800 bytes
Template for extension -> .mailto[<email_ransom>].<random{4-6}>
Some samples can do RESET for modified_date
9a601b6a24298764d589e0d9bf5d48ab0a3f472e013ce0480dd87f60083549b1 -> PowerShell
File Encryption Patterns
Netwalker modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
./\.[A-F0-9a-f]{4,6}$/
Ransom Note and Payment Demands
After encrypting files, Netwalker displays ransom notes demanding payment for file recovery:
file/^[A-F0-9a-f]{5,6}-Readme\.txt$/
Ransom message:
notes/5E728-Readme.txt
Note locations:
EveryFolder
Technical Indicators
Associated Executable Files
The following executable files are associated with Netwalker ransomware:
212fe44ced.exe
2c08f5ca36.exe
364f57fd.exe
f1cd57bf.exe
54101b5d.exe
22.exe
1c34c545.exe
99e00f24.exe
e52eea98.exe
ccddc65d.exe
96c196eb.exe
wwllww.vexe
430f3cda.exe
722b6392.exe
ef3ff3f0.exe
2001.exe
myvtfile.exe
CORONAVIRUS_COVID-19.vbs
all.ps1
Ransomware.ps1
dante.ps1
Ransomware (1).ps1
ned2.ps1
pay.ps1
oopsNO.ps1
skyfall_user wilsonk_wilsonk_ste.txt.ps1
Based
grips.exe
rdp__bd__60__1905346__1607274786.exe
rdp__bd__60__1905346__1607274786.bin
ntwlk.ps1
CORONAVIRUS_COVID-19.vbs (myvtfile.exe)
Bedeva Hack.exe
Elastio Can Help You
Don't let Netwalker ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
This Netwalker ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Netwalker.