March 12, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Gozi The Malware with a Thousand Faces
September 1, 2020Rewterz Threat Alert – Covid-19 Themed Malicious URLs
September 1, 2020Rewterz Threat Alert – Gozi The Malware with a Thousand Faces
September 1, 2020Rewterz Threat Alert – Covid-19 Themed Malicious URLs
September 1, 2020
Severity
High
Analysis Summary
Netwalker ransomware attacks on foreign government organizations, education entities, private companies, and health agencies have been observed. Following a successful intrusion, Netwalker encrypts all connected Windows-based devices and data, rendering critical files, databases, and applications inaccessible to users. When executed, Netwalker deploys an embedded configuration that includes a ransom note, ransom note file names, and various configuration options. It first appeared in August 2019. In its initial version, the ransomware went by the name of Mailto but rebranded to NetWalker towards the end of 2019.
The ransomware operates as a closed-access RaaS — a ransomware-as-a-service portal. Other hacker gangs sign up and go through a vetting process, after which they are granted access to a web portal where they can build custom versions of the ransomware.
The distribution is left to these second-tier gangs, known as affiliates, and each group deploys it as they see fit.
Impact
- Files encryption
- Data Theft
- Unauthorized Access
- Information disclosure
- Network-wide infection
Indicators of Compromise
MD5
- 5af5e3426926e551ed3acc5bea45eac6
- 0d890fc8e761b764ba3a04af07197e20
- 96e1849976d90425e74f075ed6bf8c30
- 531c0c5e943863b00c7157c05603113a
- 81c965ff526e7afd73c91543fee381a3
- 8e030188e0d03654d5e7a7738a9d6a9a
SHA-256
- f743c0849d69b5ea2f7eaf28831c86c1536cc27ae470f20e49223cbdba9c677c
- e56d45628f0c2bda30ab235657704aac50a8433bdb4215c77a2e0f52f0f31a49
- ae431797c551c20fe2f3fe1adc08a566edfabf45abbd924f0c8da06381ab6e48
- 4f7dd00a005caf046dd7e494fea25be2264974264d567edfc89122242b7c41bc
- 5ae06a8d117e876476832245039715825fbfbefc0d2463ab6c30295dd1d4afa6
- 36be48e4eac81ad77aeade20b28ff8b72275832e6833f5e1b692eb99f312fd13
SHA1
- 1296a1f8887753ef87910b544727de76ce2adcc5
- e0a37d0c26b351b789caffc8c90b968269982d55
- 21c0ed7abaafbfd14c777aa370f397e4351654a6
- caa18377e764a3a27c715b3d69ba2258ee4eb0b2
- b9b83b17fd6d89807dcab7772b1416fa90ca4b0e
- e24a174fff19d873df0fa5eddd9ec534617ed9d7
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.
- Maintain a strong password policy.
- Keep all systems, applications and software updated to latest patched versions against all known security vulnerabilities.