Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:00 PM
Connect Directly

Netwalker Ransomware Tools Reveal Attacker Tactics and Techniques

Malware and related files show that ransomware operators don't need a cutting-edge arsenal to be effective.

A malware tool set and related files that researchers at Sophos recently stumbled on provides rare insight into the tactics and techniques some threat actors are using to deploy ransomware these days.

The researchers discovered the malware while investigating Netwalker, a ransomware family that has been used in several recent attacks against large organizations in multiple sectors in the US, Australia, and Europe.

Their analysis showed the tool set contains a relatively comprehensive set of malware for everything from conducting reconnaissance to sniffing out valuable information, privilege escalation, credential theft, brute-forcing passwords, and evading intrusion detection tools.

The malware includes tools for exploiting specific vulnerabilities in Windows environments and legacy server environments, such as Tomcat and WebLogic.

Interestingly, a substantial proportion of the tools in the Netwalker portfolio were obtained from the public domain and included so-called gray-hat tools such as Mimikatz for password dumping.

Andrew Brandt, principal researcher at Sophos, says the tool set is another reminder why attack tools don't have to be especially sophisticated to be effective.

"The techniques and tools they are using are not groundbreaking or new, but they remain stubbornly effective as IT teams continue to struggle with controlling what's running on their networks and what is accessible through the firewall," Brandt says.

According to Sophos, the strategy being used by the Netwalker attackers to gain an initial foothold on an enterprise network remains unclear. But the tools suggest they have the ability to take advantage of heavily publicized vulnerabilities in Windows and other environments to break into vulnerable networks.

The Netwalker tool set also includes one called NLBrute, which the attackers have set up to break into systems with weakly enabled Remote Desktop Services (RDP). Sophos found NLBrute configured to use a specific set of username and passwords to try and break into RDP services.

"The [username and password] lists serve as a good guideline for what not to do when it comes to choosing complex passwords," Brandt says.

Sophos found that once the attackers gain entry to a network, they use commonly available tools, such as SoftPerfect Network Scanner, to look for and create lists of computers with open SMB ports. They then use products such as Mimikatz, Mimidogz, or Mimikittenz to harvest credentials from these systems.

The set of post-exploitation tools in the Netwalker arsenal includes several for privilege escalation. Among them are exploits for a critical, recently disclosed remote code execution bug in Microsoft's Server Message Block (SMB v3) technology (CVE-2020-0796), a local privilege escalation vulnerability in Windows (CVE-2019-1458), and a flaw from 2015 dubbed "Russian Doll" (CVE-2015-1701).

For the ransomware deployment itself, the attackers have been using a heavily obfuscated PowerShell loader script and orchestration tools that use domain controllers to distribute malware to any machine the domain controllers can reach.

Publicly Available Tools
Interestingly, several of the tools the operators of Netwalker are using to remove Windows endpoint malware detection tools are from legitimate security vendors. Among the tools in this category that Sophos' researchers discovered are WorryFree Uninstall from Trend Micro, AV Remover from ESET, and Microsoft Security Client Uninstall.

Like the antivirus software removal tools, a majority of the other tools the operators of Netwalker are using in ransomware campaigns are publicly available products. Among them are Mimikatz, Windows Credential Editor, pwdump, SoftPerfect Network Scanner, psexec, Teamviewer, and Anydesk.

Brandt says the tools and tactics attackers are using to deploy Netwalker ransomware might have been considered cutting edge even two years ago, but they are relatively old hat now. 

"These attackers are not plowing rough ground here," he says.

At the same time, it is a mistake to underestimate the damage these attackers can cause or the cost of cleaning up after them.

"These attackers have not slowed down, as we've seen evidence of new malware payloads being created even this week," Brandt says. "So as rudimentary as they are, they must still be somewhat effective."

For organizations, threats like Netwalker highlight the need for basic security hygiene, he says. Brute-force attacks against RDP or those seeking to exploit the EternalBlue issue in the SMB protocol, for instance, should be relatively easy for organizations to protect against provided they put in the effort to address them, he says.

"I just wonder what it will require for everyone to understand these risks are not insurmountable and agree to take their patch medicine." Brandt says.

Related Content:


Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...