Netwalker Ransomware Infecting Users via Coronavirus Phishing
NetWalker ransomware is believed to be a variant of the Mailto Ransomware family. The .mailto file extension along with an email address is attached as the extension to all of your files, making them inaccessible. All encrypted files will receive the new extension as a secondary one. The NetWalker ransomware drops a ransom note, which gives instructions to victims on how they can allegedly restore their data by paying a ransom fee.
MalwareHunterTeam was able to find an attachment used in a new Coronavirus phishing campaign that installs the Netwalker Ransomware.
Cybercriminals launched a NetWalker (Mailto) ransomware attack against the Illinois Champaign-Urbana Public Health District (CUPHD) website, according to The News-Gazette. The health district’s email accounts, environmental health records and patient electronic medical records were unaffected by the cyberattack.
The NetWalker attack was discovered last week as CUPHD officials tried to deliver Coronavirus (COVID-19) updates to Champaign-Urbana residents, The News-Gazette reported. It temporarily prevented health district employees from accessing certain files.
The new Netwalker phishing campaign is using an attachment named “CORONAVIRUS_COVID-19.vbs” that contains an embedded Netwalker Ransomware executable and obfuscated code to extract and launch it on the computer.
When the script is executed, the executable will be saved to %Temp%\qeSw.exe and launched.
Once executed, the ransomware will encrypt the files on the computer and append a random extension to encrypted file names. Of particular interest, Head of SentinelLabs Vitali Kremez told BleepingComputer that this version of the ransomware specifically avoids terminating the Fortinet endpoint protection client. When asked why they would do that, Kremez stated it may be to avoid detection.
“I suppose it might be because they have already disabled the anti-virus functionality directly from the customer admin panel; however, they do not want to trip an alarm by terminating the clients,” Kremez told BleepingComputer.
When done, victims will find a ransom note named -Readme.txt that contains instructions on how to access the ransomware’s Tor payment site to pay the ransom demand.