Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:00 PM
Connect Directly

Netwalker Ransomware Tools Reveal Attacker Tactics and Techniques

Malware and related files show that ransomware operators don't need a cutting-edge arsenal to be effective.

A malware tool set and related files that researchers at Sophos recently stumbled on provides rare insight into the tactics and techniques some threat actors are using to deploy ransomware these days.

The researchers discovered the malware while investigating Netwalker, a ransomware family that has been used in several recent attacks against large organizations in multiple sectors in the US, Australia, and Europe.

Their analysis showed the tool set contains a relatively comprehensive set of malware for everything from conducting reconnaissance to sniffing out valuable information, privilege escalation, credential theft, brute-forcing passwords, and evading intrusion detection tools.

The malware includes tools for exploiting specific vulnerabilities in Windows environments and legacy server environments, such as Tomcat and WebLogic.

Interestingly, a substantial proportion of the tools in the Netwalker portfolio were obtained from the public domain and included so-called gray-hat tools such as Mimikatz for password dumping.

Andrew Brandt, principal researcher at Sophos, says the tool set is another reminder why attack tools don't have to be especially sophisticated to be effective.

"The techniques and tools they are using are not groundbreaking or new, but they remain stubbornly effective as IT teams continue to struggle with controlling what's running on their networks and what is accessible through the firewall," Brandt says.

According to Sophos, the strategy being used by the Netwalker attackers to gain an initial foothold on an enterprise network remains unclear. But the tools suggest they have the ability to take advantage of heavily publicized vulnerabilities in Windows and other environments to break into vulnerable networks.

The Netwalker tool set also includes one called NLBrute, which the attackers have set up to break into systems with weakly enabled Remote Desktop Services (RDP). Sophos found NLBrute configured to use a specific set of username and passwords to try and break into RDP services.

"The [username and password] lists serve as a good guideline for what not to do when it comes to choosing complex passwords," Brandt says.

Sophos found that once the attackers gain entry to a network, they use commonly available tools, such as SoftPerfect Network Scanner, to look for and create lists of computers with open SMB ports. They then use products such as Mimikatz, Mimidogz, or Mimikittenz to harvest credentials from these systems.

The set of post-exploitation tools in the Netwalker arsenal includes several for privilege escalation. Among them are exploits for a critical, recently disclosed remote code execution bug in Microsoft's Server Message Block (SMB v3) technology (CVE-2020-0796), a local privilege escalation vulnerability in Windows (CVE-2019-1458), and a flaw from 2015 dubbed "Russian Doll" (CVE-2015-1701).

For the ransomware deployment itself, the attackers have been using a heavily obfuscated PowerShell loader script and orchestration tools that use domain controllers to distribute malware to any machine the domain controllers can reach.

Publicly Available Tools
Interestingly, several of the tools the operators of Netwalker are using to remove Windows endpoint malware detection tools are from legitimate security vendors. Among the tools in this category that Sophos' researchers discovered are WorryFree Uninstall from Trend Micro, AV Remover from ESET, and Microsoft Security Client Uninstall.

Like the antivirus software removal tools, a majority of the other tools the operators of Netwalker are using in ransomware campaigns are publicly available products. Among them are Mimikatz, Windows Credential Editor, pwdump, SoftPerfect Network Scanner, psexec, Teamviewer, and Anydesk.

Brandt says the tools and tactics attackers are using to deploy Netwalker ransomware might have been considered cutting edge even two years ago, but they are relatively old hat now. 

"These attackers are not plowing rough ground here," he says.

At the same time, it is a mistake to underestimate the damage these attackers can cause or the cost of cleaning up after them.

"These attackers have not slowed down, as we've seen evidence of new malware payloads being created even this week," Brandt says. "So as rudimentary as they are, they must still be somewhat effective."

For organizations, threats like Netwalker highlight the need for basic security hygiene, he says. Brute-force attacks against RDP or those seeking to exploit the EternalBlue issue in the SMB protocol, for instance, should be relatively easy for organizations to protect against provided they put in the effort to address them, he says.

"I just wonder what it will require for everyone to understand these risks are not insurmountable and agree to take their patch medicine." Brandt says.

Related Content:


Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Lessons from COVID-19 Cyberattacks: Where Do We Go Next?
Derek Manky, Chief of Security Insights and Global Threat Alliances, FortiGuard Labs,  7/2/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-08
Buffer overflow exists in Geovision Door Access Control device family, an unauthenticated remote attacker can execute arbitrary command.
PUBLISHED: 2020-07-07
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
PUBLISHED: 2020-07-07
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
PUBLISHED: 2020-07-07
A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to res...
PUBLISHED: 2020-07-07
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.