Arrival
Attackers typically deploy NetWalker during human-operated ransomware campaigns on large enterprise networks. To gain access to the network, they send email messages with a malicious file attachment, exploit vulnerabilities in public-facing services, or deploy the payload through exposed RDP services.
Initial execution
When the target user clicks on a malicious email attachment, the embedded macro downloads a PowerShell script. This script deploys a 32-bit or a 64-bit ransomware executable based on the configuration of the target device.
Embedded ransomware executable hex bytes in PowerShell
Anti-debug check
Once launched, this ransomware uses the Process Environment Block (PEB) offset and checks whether it is being debugged. If a debugger is found, it terminates itself.
Anti-debug check using PEB offset
Decrypts configuration data
This ransomware decrypts the configuration data it requires for file encryption. It uses FindResource and LoadResouce API calls to access the resource section of the encrypted configuration data. It loads the resource section into memory and decrypts the data using a decryption loop.
Decryption loop used for decrypting configuration data
The decrypted configuration data includes:
- mpk - Public key
- mode - Running mode
- spsz - Encryption chunk
- thr - Allocated threads for encryption
- idsz - ID length
- pers - Persistence
- encname - Encryption name
- onion1 - Onion link 1
- onion2 - Onion Link 2
- lfile - Ransom note
- white - List of files, folders, and extensions to exclude from encryption
- kill - List of processes to stop
- task - List of tasks to perform
- net - Network resources encryption
- unlocker - Decryption exclusion list
Stores identifier in the registry
This ransomware creates a registry subkey with a six-character alphanumeric identifier under HKLM\Software and stores the configuration data it requires for encryption and decryption.
It appends the same alphanumeric identifier to the original file names after encryption.
Maintains persistence
To maintain persistence on the target device, this ransomware creates an entry in:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Deletes shadow copies
After identifying files for encryption, this ransomware deletes shadow copies of files and system volumes to prevent the recovery of encrypted files. It runs the following command to delete shadow copies:
vssadmin.exe delete shadows /all /quiet
Stops processes and services
This ransomware stops various processes and services to ensure they do not lock files targeted for encryption. Here are some of the processes that it stops:
sql, agntsvc.exe, dbeng50.exe, dbsnmp.exe, encsvc.exe, excel.exe, firefoxconfig.exe, infopath.exe, msaccess.exe, mspub.exe, mydesktopqos.exe, mydesktopservice.exe, ocautoupds.exe, ocomm.exe, ocssd.exe, onenote.exe, oracle.exe, outlook.exe, powerpnt.exe, synctime.exe, tbirdconfig.exe, thebat.exe, thebat64.exe, visio.exe, winword.exe, wordpad.exe, xfssvccon.exe
Here are some of the services that it stops:
apach, hMailServer, IBM Domino, IISADMIN, Lotus, MSExchange, QuickBooksDB
Excludes files and folders from encryption
This ransomware excludes certain files and folders from encryption to ensure that the device continues to function after encryption. It has a list of paths, file names, and extension names that it uses to identify the files and folders to exclude.
Here are some of the paths in its exclusion list:
- \program file\vmware
- \users\temp
- \windows
- \winnt
- \Program File\Cisco
- \program file\common files\system
- \program file\microsoft games
- \program file\vmware
- \program file\windows media
- \program file\windows nt
- \program file\windows portable
- \program file\windowspowershell
- \appdatamicrosoft
- \appdatapackages
- \Mozilla
- \system volume information
- \windows defender
Here are some of the file names and extensions in its exclusion list:
- .386
- .bat
- .cab
- .cmd
- .com
- .dll
- .drv
- .exe
- .hlp
- .hta
- .ico
- .lnk
- .msi
- .ocx
- .ps1
- .scr
- .sys
- autorun.inf
- bootmgr
- desktop.ini
- gdipfont.dat
- iconcache.db
- ntldr
- ntuser.dat
- ntuser.ini
- thumbs.db
- Usrclass.dat
Encrypts files
This ransomware uses the ChaCha20 algorithm to encrypt files. After encryption, it appends the six-digit alphanumeric ID as an extension to the original file name.
Encrypted files
Drops ransom note
After encryption, this ransomware drops a text file containing a ransom note in all the affected folders. It appends the same alphanumeric ID to the file name, for example, 8a9c74-Readme.txt. This text file contains a ransom note that indicates the files have been encrypted and provides recovery instructions.
Ransom note
Deletes self
This ransomware drops a batch file in the %Temp% folder and runs this file to delete itself. In one instance, it used a file named 22D8.tmp.bat
Sample used in the analysis
This ransomware has multiple variants that show varying behaviors. This analysis is based on the following sample:
22a5872ba6adfe449e46d9a223cb7567697e30f89d6d42095e48de3033359de3 (SHA-256)
