Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:00 PM
Connect Directly

Netwalker Ransomware Tools Reveal Attacker Tactics and Techniques

Malware and related files show that ransomware operators don't need a cutting-edge arsenal to be effective.

A malware tool set and related files that researchers at Sophos recently stumbled on provides rare insight into the tactics and techniques some threat actors are using to deploy ransomware these days.

The researchers discovered the malware while investigating Netwalker, a ransomware family that has been used in several recent attacks against large organizations in multiple sectors in the US, Australia, and Europe.

Their analysis showed the tool set contains a relatively comprehensive set of malware for everything from conducting reconnaissance to sniffing out valuable information, privilege escalation, credential theft, brute-forcing passwords, and evading intrusion detection tools.

The malware includes tools for exploiting specific vulnerabilities in Windows environments and legacy server environments, such as Tomcat and WebLogic.

Interestingly, a substantial proportion of the tools in the Netwalker portfolio were obtained from the public domain and included so-called gray-hat tools such as Mimikatz for password dumping.

Andrew Brandt, principal researcher at Sophos, says the tool set is another reminder why attack tools don't have to be especially sophisticated to be effective.

"The techniques and tools they are using are not groundbreaking or new, but they remain stubbornly effective as IT teams continue to struggle with controlling what's running on their networks and what is accessible through the firewall," Brandt says.

According to Sophos, the strategy being used by the Netwalker attackers to gain an initial foothold on an enterprise network remains unclear. But the tools suggest they have the ability to take advantage of heavily publicized vulnerabilities in Windows and other environments to break into vulnerable networks.

The Netwalker tool set also includes one called NLBrute, which the attackers have set up to break into systems with weakly enabled Remote Desktop Services (RDP). Sophos found NLBrute configured to use a specific set of username and passwords to try and break into RDP services.

"The [username and password] lists serve as a good guideline for what not to do when it comes to choosing complex passwords," Brandt says.

Sophos found that once the attackers gain entry to a network, they use commonly available tools, such as SoftPerfect Network Scanner, to look for and create lists of computers with open SMB ports. They then use products such as Mimikatz, Mimidogz, or Mimikittenz to harvest credentials from these systems.

The set of post-exploitation tools in the Netwalker arsenal includes several for privilege escalation. Among them are exploits for a critical, recently disclosed remote code execution bug in Microsoft's Server Message Block (SMB v3) technology (CVE-2020-0796), a local privilege escalation vulnerability in Windows (CVE-2019-1458), and a flaw from 2015 dubbed "Russian Doll" (CVE-2015-1701).

For the ransomware deployment itself, the attackers have been using a heavily obfuscated PowerShell loader script and orchestration tools that use domain controllers to distribute malware to any machine the domain controllers can reach.

Publicly Available Tools
Interestingly, several of the tools the operators of Netwalker are using to remove Windows endpoint malware detection tools are from legitimate security vendors. Among the tools in this category that Sophos' researchers discovered are WorryFree Uninstall from Trend Micro, AV Remover from ESET, and Microsoft Security Client Uninstall.

Like the antivirus software removal tools, a majority of the other tools the operators of Netwalker are using in ransomware campaigns are publicly available products. Among them are Mimikatz, Windows Credential Editor, pwdump, SoftPerfect Network Scanner, psexec, Teamviewer, and Anydesk.

Brandt says the tools and tactics attackers are using to deploy Netwalker ransomware might have been considered cutting edge even two years ago, but they are relatively old hat now. 

"These attackers are not plowing rough ground here," he says.

At the same time, it is a mistake to underestimate the damage these attackers can cause or the cost of cleaning up after them.

"These attackers have not slowed down, as we've seen evidence of new malware payloads being created even this week," Brandt says. "So as rudimentary as they are, they must still be somewhat effective."

For organizations, threats like Netwalker highlight the need for basic security hygiene, he says. Brute-force attacks against RDP or those seeking to exploit the EternalBlue issue in the SMB protocol, for instance, should be relatively easy for organizations to protect against provided they put in the effort to address them, he says.

"I just wonder what it will require for everyone to understand these risks are not insurmountable and agree to take their patch medicine." Brandt says.

Related Content:


Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
PUBLISHED: 2020-10-21
BigBlueButton before 2.2.8 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or tr...
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.