What you should know about Netwalker
What you need to know about Netwalker
Ransomware: What you need to know about Netwalker
Emotet, Trickbot, Maze, Ryuk and now Netwalker: Cybercrime has increased exponentially over the past year. Ransomware has become a seemingly unmanageable problem for companies in every industry, large and small. In 2019 alone, attackers extorted an estimated 11.5 billion dollars from their victims, up from eight billion dollars the previous year. Experts estimate that the cost of ransomware attacks will almost double to 20 billion dollars by 2021. Since the first significant attack in March, Netwalker (aka Mailto) has already generated more than 30 million dollars in ransoms, and the trend is rising sharply.
What is Netwalker?
The Netwalker ransomware was developed in 2019 by the cybercrime group "Circus Spider", which in turn is part of the "Mummy Spider" group. On the surface, Netwalker behaves like most other ransomware variants: The malware usually gains a foothold in victims' systems via phishing emails in order to then exfiltrate and encrypt their sensitive data. However, Netwalker increases the pressure on victims by publishing stolen data online and threatening to publish the rest on the dark web if payment is not made.
Cyber criminals of all countries unite: Ransomware-as-a-Service
Since 2020, "Circus Spider" has been striving for greater things and wants to make Netwalker a household name. To achieve this, the group is expanding its partner network, much like the Maze ransomware gang did previously. By switching to a ransomware-as-a-service (RaaS) model, it can operate on a much larger scale, attack more companies and "earn" higher ransoms. Very specific requirements are placed on the partners, which reads like a job advertisement: They must have experience in the networking sector, be able to speak Russian (English in particular as a native language, on the other hand, is a knock-outcriterion), have access to "quality targets" and be able to prove their experience.
The selected partners can then use the following features:
Fully automated TOR Chatpanel
Observer rights
Compatibility with all Windows devices from Windows 2000
Fast multi-threat encryption with flexible setting options
Decryption process
Encryption of neighbouring networks
Special PowerShell builds, that make it easier to bypass antivirus software
Immediate payouts
Who and what is the goal of Netwalker?
Since its first major "success" in March, Netwalker's ransomware attacks, which primarily target healthcare and educational institutions, have increased significantly. One of the best-known attacks targeted a university specialising in medical research. Sensitive data was stolen and some of it published online, including student applications containing information such as national insurance numbers and other sensitive data. Obviously to good effect: the victims paid around 1.1 million US dollars to have their data decrypted. The attackers are also focusing on COVID-19-related topics by sending phishing emails and targeting healthcare organisations that have already been overwhelmed by the pandemic. For example, one of the first victims in the healthcare sector had its website destroyed by the attack, just when the population's need for information was at its greatest. Medical institutions are also an attractive target for attackers because they are traditionally understaffed in the IT sector and underfunded. They have no regard for a global pandemic. On the contrary, they are using it for phishing and to put even more pressure on the victims. And although the focus is on the healthcare sector, there are also targets and victims in other industries, such as manufacturing.
How does Netwalker work? / How does a Netwalker attack work?

Source: Varonis
Step 1: Phishing and infiltration
Netwalker relies heavily on phishing and spear phishing as a method of infiltration. As is common in phishing campaigns, Netwalker often sends emails that appear to come from legitimate sources in order to trick victims into opening the attachment. Most of the time, Netwalker attaches a VBS script called "CORONAVIRUS_COVID-19.vbs" that executes the ransomware when victims double-click the email or open the attached Word document.

Source: Varonis
Step 2: Data exfiltration and encryption
Once the script is opened and executed, Netwalker infiltrates the victim's system and the encryption countdown begins. The ransomware takes the form of a legitimate-looking process, typically in the form of a (legitimate) executable file. To do this, the code of the legitimate executable file is removed and the malicious code is injected into the file to access process.exe (process hollowing). This method gives the malware enough time to work its way through the network undetected, exfiltrating and encrypting data, deleting backups and creating backdoors before anyone even realises that something is wrong.
Step 3: Extortion, data recovery or loss
Once the exfiltration and encryption is complete, the victim is notified. The ransom note is relatively unspectacular and explains what has just happened and what needs to happen next if the user wants to get their data back safely. Circus Spider then demands a certain amount of money via a TOR browser portal, usually adapted to the victim's financial circumstances, to be paid in Bitcoins. If the victims pay, they are given access to a special decryption tool to restore the data securely. If the victim refuses to pay or waits too long, the demand for money is increased or some or all of the stolen data is published on the dark web.
How can you protect yourself from Netwalker?
Netwalker is constantly evolving, becoming more sophisticated and more difficult to defend against. The expansion of the "partner network" will also increase the threat, making it urgently necessary to take appropriate protective measures. This is also the view of the FBI's Cybercrime Division, which has issued a corresponding warning and recommends the following measures:
Create offline backups of your critical data.
Make sure that copies of important data are stored in the cloud or on an external hard drive or storage device.
Make sure that your backups are stored securely and cannot be deleted or modified from the system where the (regular) data is stored.
Install anti-virus or anti-malware software on all hosts and update it regularly.
Use only secure networks and avoid public Wi-Fi connections. Consider installing and using a VPN.
Use two-factor authentication with strong passwords.
Keep computers, devices and applications up to date. Like other types of malware, Netwalker exploits vulnerabilities in your systems and infrastructure to take control of computers and the entire network.
First and foremost, these tips are designed to minimise damage. Proactively implementing these procedures will go a long way towards preventing the spread of ransomware and minimising its impact once it has entered the system. Nevertheless, raising employee awareness is an essential element in preventing infection.
Don't get caught
Since Netwalker mainly uses phishing attacks with malicious links and executable files to infect systems, it is essential for the security and protection of your sensitive data to sensitise your employees accordingly. They need to recognise the dangers and know what to look out for in order to identify suspicious emails. Regular training is an excellent prevention method and helps your company to recognise the signs of malicious emails.
Always be vigilant and follow these tips for every email that asks you to click on a link, open an attachment or enter your credentials:
Check the name and domain, from which the email originates
Check for spelling errors in the subject and body of the email
Do not share your account information. Legitimate senders never ask for it by email
Do not open any attachments or click on any suspicious links
Report suspicious emails to the security team
In order to check the success of your social engineering training, it is advisable to carry out attack simulations. Sending fake phishing emails to everyone in the organisation (including the IT department and management!) is a good way to measure the success of your security training and identify who might need a little extra help in this matter. Track metrics on user interactions to see who interacts with any of the links or attachments, gives out their credentials or reports it to the appropriate people in your organisation. Because cybersecurity in general, and protection against Netwalker in particular, can only succeed if every single employee is part of the defence.

Michael Döhmen
Marketing & IT-Security Enthusiast
Published on 14.05.2025
