SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mailto (Back to overview)

Mailto

aka: Koko Ransomware, NetWalker

There is no description at this point.

References
2022-03-31TrellixJohn Fokker, Jambul Tologonov
@online{fokker:20220331:conti:3bc2974, author = {John Fokker and Jambul Tologonov}, title = {{Conti Leaks: Examining the Panama Papers of Ransomware}}, date = {2022-03-31}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html}, language = {English}, urldate = {2022-04-07} } Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2022-02-11Github (0x00-0x7f)Sadia Bashir
@online{bashir:20220211:netwalker:7459a58, author = {Sadia Bashir}, title = {{Netwalker: from Powershell reflective loader to injected dll}}, date = {2022-02-11}, organization = {Github (0x00-0x7f)}, url = {https://0x00-0x7f.github.io/Netwalker-from-Powershell-reflective-loader-to-injected-Dll/}, language = {English}, urldate = {2022-02-18} } Netwalker: from Powershell reflective loader to injected dll
Mailto
2022-02-08Bleeping ComputerSergiu Gatlan
@online{gatlan:20220208:netwalker:716341a, author = {Sergiu Gatlan}, title = {{NetWalker ransomware affiliate sentenced to 80 months in prison}}, date = {2022-02-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/netwalker-ransomware-affiliate-sentenced-to-80-months-in-prison/}, language = {English}, urldate = {2022-02-09} } NetWalker ransomware affiliate sentenced to 80 months in prison
Mailto
2022-02-08FBIFBI
@techreport{fbi:20220208:statement:ad399bc, author = {FBI}, title = {{Statement of Facts Supporting the Provisional Arrest of Sebastien Vachon-Desiardins}}, date = {2022-02-08}, institution = {FBI}, url = {https://s3.documentcloud.org/documents/21199896/vachon-desjardins-court-docs.pdf}, language = {English}, urldate = {2022-02-09} } Statement of Facts Supporting the Provisional Arrest of Sebastien Vachon-Desiardins
Mailto
2021-10-12CrowdStrikeCrowdStrike Intelligence Team
@online{team:20211012:ecx:5540ee9, author = {CrowdStrike Intelligence Team}, title = {{ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity}}, date = {2021-10-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/}, language = {English}, urldate = {2021-11-02} } ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity
Babuk BlackMatter DarkSide REvil Avaddon Babuk BlackMatter DarkSide LockBit Mailto REvil
2021-09-03Seguranca InformaticaPedro Tavares
@online{tavares:20210903:netwalker:34fcda6, author = {Pedro Tavares}, title = {{Netwalker ransomware full analysis}}, date = {2021-09-03}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/netwalker-ransomware-full-analysis/}, language = {English}, urldate = {2021-09-12} } Netwalker ransomware full analysis
Mailto
2021-07-09The RecordCatalin Cimpanu
@online{cimpanu:20210709:ransomwhere:bd77fbe, author = {Catalin Cimpanu}, title = {{Ransomwhere project wants to create a database of past ransomware payments}}, date = {2021-07-09}, organization = {The Record}, url = {https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/}, language = {English}, urldate = {2021-07-20} } Ransomwhere project wants to create a database of past ransomware payments
Egregor Mailto Maze REvil
2021-06-10ZEIT OnlineVon Kai Biermann, Astrid Geisler, Herwig G. Höller, Karsten Polke-Majewski, Zachary Kamel
@online{biermann:20210610:trail:42969a8, author = {Von Kai Biermann and Astrid Geisler and Herwig G. Höller and Karsten Polke-Majewski and Zachary Kamel}, title = {{On the Trail of the Internet Extortionists}}, date = {2021-06-10}, organization = {ZEIT Online}, url = {https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers}, language = {English}, urldate = {2021-07-02} } On the Trail of the Internet Extortionists
Emotet Mailto
2021-05-26DeepInstinctRon Ben Yizhak
@online{yizhak:20210526:deep:c123a19, author = {Ron Ben Yizhak}, title = {{A Deep Dive into Packing Software CryptOne}}, date = {2021-05-26}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/}, language = {English}, urldate = {2021-06-22} } A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader
2021-05-18Bleeping ComputerIonut Ilascu
@online{ilascu:20210518:darkside:d8e345b, author = {Ionut Ilascu}, title = {{DarkSide ransomware made $90 million in just nine months}}, date = {2021-05-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/}, language = {English}, urldate = {2021-06-07} } DarkSide ransomware made $90 million in just nine months
DarkSide DarkSide Egregor Gandcrab Mailto Maze REvil Ryuk
2021-05-18The RecordCatalin Cimpanu
@online{cimpanu:20210518:darkside:14b6690, author = {Catalin Cimpanu}, title = {{Darkside gang estimated to have made over $90 million from ransomware attacks}}, date = {2021-05-18}, organization = {The Record}, url = {https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/}, language = {English}, urldate = {2021-05-19} } Darkside gang estimated to have made over $90 million from ransomware attacks
DarkSide DarkSide Mailto Maze REvil Ryuk
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-06Cyborg SecurityBrandon Denker
@online{denker:20210506:ransomware:a1f31df, author = {Brandon Denker}, title = {{Ransomware: Hunting for Inhibiting System Backup or Recovery}}, date = {2021-05-06}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/}, language = {English}, urldate = {2021-05-08} } Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2021-04-26CoveWareCoveWare
@online{coveware:20210426:ransomware:12586d5, author = {CoveWare}, title = {{Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound}}, date = {2021-04-26}, organization = {CoveWare}, url = {https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound}, language = {English}, urldate = {2021-05-13} } Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt
2021-04-12PTSecurityPTSecurity
@online{ptsecurity:20210412:paas:1d06836, author = {PTSecurity}, title = {{PaaS, or how hackers evade antivirus software}}, date = {2021-04-12}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/}, language = {English}, urldate = {2021-04-12} } PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader
2021-03-17Palo Alto Networks Unit 42Unit42
@techreport{unit42:20210317:ransomware:504cc32, author = {Unit42}, title = {{Ransomware Threat Report 2021}}, date = {2021-03-17}, institution = {Palo Alto Networks Unit 42}, url = {https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf}, language = {English}, urldate = {2021-03-19} } Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker
2021-03-05BlackberryCodi Starks, Kevin Finnigin
@online{starks:20210305:zerologon:efbc33c, author = {Codi Starks and Kevin Finnigin}, title = {{ZeroLogon to Ransomware}}, date = {2021-03-05}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/03/zerologon-to-ransomware}, language = {English}, urldate = {2021-03-11} } ZeroLogon to Ransomware
Mailto
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-17YouTube (AGDC Services)AGDC Services
@online{services:20210217:how:d492b9b, author = {AGDC Services}, title = {{How Malware Can Resolve APIs By Hash}}, date = {2021-02-17}, organization = {YouTube (AGDC Services)}, url = {https://www.youtube.com/watch?v=q8of74upT_g}, language = {English}, urldate = {2021-02-24} } How Malware Can Resolve APIs By Hash
Emotet Mailto
2021-02-16CybereasonTom Fakterman
@online{fakterman:20210216:cybereason:bc5074c, author = {Tom Fakterman}, title = {{Cybereason vs. NetWalker Ransomware}}, date = {2021-02-16}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-netwalker-ransomware}, language = {English}, urldate = {2021-02-20} } Cybereason vs. NetWalker Ransomware
Mailto
2021-02-11CrowdStrikeRadu Vlad
@online{vlad:20210211:press:b7ea157, author = {Radu Vlad}, title = {{Press #1 to Play: A Look Into eCrime Menu-style Toolkits}}, date = {2021-02-11}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/analysis-of-ecrime-menu-style-toolkits/}, language = {English}, urldate = {2021-02-20} } Press #1 to Play: A Look Into eCrime Menu-style Toolkits
Mailto CIRCUS SPIDER
2021-02-11CTI LEAGUECTI LEAGUE
@techreport{league:20210211:ctil:69c2ab8, author = {CTI LEAGUE}, title = {{CTIL Darknet Report – 2021}}, date = {2021-02-11}, institution = {CTI LEAGUE}, url = {https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf}, language = {English}, urldate = {2021-02-20} } CTIL Darknet Report – 2021
Conti Mailto Maze REvil Ryuk
2021-01-27Department of JusticeDepartment of Justice
@online{justice:20210127:department:ea07837, author = {Department of Justice}, title = {{Department of Justice Launches Global Action Against NetWalker Ransomware}}, date = {2021-01-27}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware}, language = {English}, urldate = {2021-01-29} } Department of Justice Launches Global Action Against NetWalker Ransomware
Mailto
2021-01-27Department of JusticeDepartment of Justice
@online{justice:20210127:indictment:5199031, author = {Department of Justice}, title = {{INDICTMENT of SEBASTIEN VACHON-DESJARDINS for using Netwalker ransomware to commit crime}}, date = {2021-01-27}, organization = {Department of Justice}, url = {https://www.justice.gov/usao-mdfl/press-release/file/1360846/download}, language = {English}, urldate = {2021-01-29} } INDICTMENT of SEBASTIEN VACHON-DESJARDINS for using Netwalker ransomware to commit crime
Mailto
2021-01-27KrebsOnSecurityBrian Krebs
@online{krebs:20210127:arrest:94e1e04, author = {Brian Krebs}, title = {{Arrest, Seizures Tied to Netwalker Ransomware}}, date = {2021-01-27}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/01/arrest-seizures-tied-to-netwalker-ransomware}, language = {English}, urldate = {2021-01-29} } Arrest, Seizures Tied to Netwalker Ransomware
Mailto
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-11-06Cert-AgIDIncident Reponse Team
@online{team:20201106:netwalker:a6c56fe, author = {Incident Reponse Team}, title = {{Netwalker Ransomware}}, date = {2020-11-06}, organization = {Cert-AgID}, url = {https://cert-agid.gov.it/news/netwalker-il-ransomware-che-ha-beffato-lintera-community/}, language = {Italian}, urldate = {2021-02-24} } Netwalker Ransomware
Mailto
2020-10-27Bleeping ComputerIonut Ilascu
@online{ilascu:20201027:enel:cd901d2, author = {Ionut Ilascu}, title = {{Enel Group hit by ransomware again, Netwalker demands $14 million}}, date = {2020-10-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million/}, language = {English}, urldate = {2020-10-29} } Enel Group hit by ransomware again, Netwalker demands $14 million
Mailto
2020-10-23HornetsecurityHornetsecurity Security Lab
@online{lab:20201023:leakwareransomwarehybrid:ae1de8e, author = {Hornetsecurity Security Lab}, title = {{Leakware-Ransomware-Hybrid Attacks}}, date = {2020-10-23}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/}, language = {English}, urldate = {2020-12-08} } Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt
2020-10-01KELAVictoria Kivilevich
@online{kivilevich:20201001:to:fd3aa09, author = {Victoria Kivilevich}, title = {{To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem}}, date = {2020-10-01}, organization = {KELA}, url = {https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/}, language = {English}, urldate = {2021-05-07} } To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem
Conti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt
2020-09-29MicrosoftMicrosoft
@techreport{microsoft:20200929:microsoft:6e5d7b0, author = {Microsoft}, title = {{Microsoft Digital Defense Report}}, date = {2020-09-29}, institution = {Microsoft}, url = {https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf}, language = {English}, urldate = {2020-10-05} } Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot
2020-09-29PWC UKAndy Auld
@online{auld:20200929:whats:2782a62, author = {Andy Auld}, title = {{What's behind the increase in ransomware attacks this year?}}, date = {2020-09-29}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html}, language = {English}, urldate = {2021-05-25} } What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker
2020-09-24Kaspersky LabsKaspersky Lab ICS CERT
@techreport{cert:20200924:threat:2d7986d, author = {Kaspersky Lab ICS CERT}, title = {{Threat landscape for industrial automation systems - H1 2020}}, date = {2020-09-24}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf}, language = {English}, urldate = {2020-10-04} } Threat landscape for industrial automation systems - H1 2020
Poet RAT Mailto Milum RagnarLocker REvil Ryuk Snake
2020-09-08Lopqto's AdventuresHamidreza Babaee
@online{babaee:20200908:automated:eb3272c, author = {Hamidreza Babaee}, title = {{Automated dynamic import resolving using binary emulation}}, date = {2020-09-08}, organization = {Lopqto's Adventures}, url = {https://lopqto.me/posts/automated-dynamic-import-resolving}, language = {English}, urldate = {2020-09-09} } Automated dynamic import resolving using binary emulation
Mailto
2020-09-03ZenGoTal Be'ery
@online{beery:20200903:bitcoin:932fb45, author = {Tal Be'ery}, title = {{The Bitcoin Ransomware Detective Strikes Again: The UCSF Case}}, date = {2020-09-03}, organization = {ZenGo}, url = {https://zengo.com/bitcoin-ransomware-detective-ucsf/}, language = {English}, urldate = {2020-09-06} } The Bitcoin Ransomware Detective Strikes Again: The UCSF Case
Mailto
2020-09-01Cisco TalosDavid Liebenberg, Caitlin Huey
@online{liebenberg:20200901:quarterly:c02962b, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends in Summer 2020}}, date = {2020-09-01}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html}, language = {English}, urldate = {2020-09-03} } Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk
2020-08-31The DFIR ReportThe DFIR Report
@online{report:20200831:netwalker:29a1511, author = {The DFIR Report}, title = {{NetWalker Ransomware in 1 Hour}}, date = {2020-08-31}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/}, language = {English}, urldate = {2020-08-31} } NetWalker Ransomware in 1 Hour
Cobalt Strike Mailto MimiKatz
2020-08-25KELAVictoria Kivilevich
@online{kivilevich:20200825:how:5db6a82, author = {Victoria Kivilevich}, title = {{How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing}}, date = {2020-08-25}, organization = {KELA}, url = {https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/}, language = {English}, urldate = {2021-05-07} } How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet
2020-08-03McAfeeATR Operational Intelligence Team
@online{team:20200803:take:74e0288, author = {ATR Operational Intelligence Team}, title = {{Take a “NetWalk” on the Wild Side}}, date = {2020-08-03}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/take-a-netwalk-on-the-wild-side/}, language = {English}, urldate = {2020-08-14} } Take a “NetWalk” on the Wild Side
Mailto
2020-08Temple UniversityCARE
@online{care:202008:critical:415c34d, author = {CARE}, title = {{Critical Infrastructure Ransomware Attacks}}, date = {2020-08}, organization = {Temple University}, url = {https://sites.temple.edu/care/ci-rw-attacks/}, language = {English}, urldate = {2020-09-15} } Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-07-28FBIFBI
@techreport{fbi:20200728:indicators:7dada00, author = {FBI}, title = {{Indicators Associated with Netwalker Ransomware}}, date = {2020-07-28}, institution = {FBI}, url = {https://www.ic3.gov/media/news/2020/200929-2.pdf}, language = {English}, urldate = {2020-10-05} } Indicators Associated with Netwalker Ransomware
Mailto
2020-06-26USCFUSCF
@online{uscf:20200626:update:6f5b3ca, author = {USCF}, title = {{Update on IT Security Incident at UCSF}}, date = {2020-06-26}, organization = {USCF}, url = {https://www.ucsf.edu/news/2020/06/417911/update-it-security-incident-ucsf}, language = {English}, urldate = {2020-08-18} } Update on IT Security Incident at UCSF
Mailto
2020-06-10CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200610:csit20081:a09522b, author = {CrowdStrike}, title = {{CSIT-20081 : Technical Analysis Of The Netwalker Ransomware}}, date = {2020-06-10}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf}, language = {English}, urldate = {2020-07-23} } CSIT-20081 : Technical Analysis Of The Netwalker Ransomware
Mailto CIRCUS SPIDER
2020-06-05Github (DanusMinimus)Dan Lisichkin
@online{lisichkin:20200605:zero2auto:ecc4713, author = {Dan Lisichkin}, title = {{Zero2Auto - Netwalker Walk through}}, date = {2020-06-05}, organization = {Github (DanusMinimus)}, url = {https://danusminimus.github.io/Zero2Auto-Netwalker-Walkthrough/}, language = {English}, urldate = {2020-06-08} } Zero2Auto - Netwalker Walk through
Mailto
2020-05-28BleepingComputerIonut Ilascu
@online{ilascu:20200528:michigan:a52712f, author = {Ionut Ilascu}, title = {{Michigan State University network breached in ransomware attack}}, date = {2020-05-28}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/michigan-state-university-network-breached-in-ransomware-attack/}, language = {English}, urldate = {2020-05-29} } Michigan State University network breached in ransomware attack
Mailto
2020-05-27SophosLabsGabor Szappanos, Andrew Brandt
@online{szappanos:20200527:netwalker:941731e, author = {Gabor Szappanos and Andrew Brandt}, title = {{Netwalker ransomware tools give insight into threat actor}}, date = {2020-05-27}, organization = {SophosLabs}, url = {https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/}, language = {English}, urldate = {2020-05-29} } Netwalker ransomware tools give insight into threat actor
Mailto
2020-05-19Advanced IntelligenceAdvanced Intelligence, Bridgit Sullivan, Daniel Frey
@online{intelligence:20200519:netwalker:4681272, author = {Advanced Intelligence and Bridgit Sullivan and Daniel Frey}, title = {{NetWalker Ransomware Group Enters Advanced Targeting “Game”}}, date = {2020-05-19}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/netwalker-ransomware-group-enters-advanced-targeting-game}, language = {English}, urldate = {2020-05-23} } NetWalker Ransomware Group Enters Advanced Targeting “Game”
Mailto
2020-05-19zero2autoVitali Kremez
@online{kremez:20200519:netwalker:7ad1e7c, author = {Vitali Kremez}, title = {{Netwalker Ransomware - From Static Reverse Engineering to Automatic Extraction}}, date = {2020-05-19}, organization = {zero2auto}, url = {https://zero2auto.com/2020/05/19/netwalker-re/}, language = {English}, urldate = {2020-06-02} } Netwalker Ransomware - From Static Reverse Engineering to Automatic Extraction
Mailto
2020-05-18Trend MicroKaren Victor
@online{victor:20200518:netwalker:91f6d65, author = {Karen Victor}, title = {{Netwalker Fileless Ransomware Injected via Reflective Loading}}, date = {2020-05-18}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/}, language = {English}, urldate = {2020-05-20} } Netwalker Fileless Ransomware Injected via Reflective Loading
Mailto
2020-05-14tccontre Blogtcontre
@online{tcontre:20200514:netwalker:eabf178, author = {tcontre}, title = {{Netwalker Ransomware: [API Call Obfuscation (using Structure) and Evading Memory Forensic]}}, date = {2020-05-14}, organization = {tccontre Blog}, url = {https://tccontre.blogspot.com/2020/05/netwalker-ransomware-api-call.html}, language = {English}, urldate = {2020-05-19} } Netwalker Ransomware: [API Call Obfuscation (using Structure) and Evading Memory Forensic]
Mailto
2020-04-28MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200428:ransomware:3205f3a, author = {Microsoft Threat Protection Intelligence Team}, title = {{Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk}}, date = {2020-04-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/}, language = {English}, urldate = {2020-05-05} } Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise RagnarLocker REvil RobinHood
2020-04-10TrustwaveJoshua Deacon, Lloyd Macrohon
@online{deacon:20200410:indepth:13fc66f, author = {Joshua Deacon and Lloyd Macrohon}, title = {{An In-depth Look at MailTo Ransomware, Part Three of Three}}, date = {2020-04-10}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-three-of-three/}, language = {English}, urldate = {2020-04-14} } An In-depth Look at MailTo Ransomware, Part Three of Three
Mailto
2020-04-08INCIBE-CERTINCIBE
@online{incibe:20200408:ransomware:61b8c41, author = {INCIBE}, title = {{Ransomware NetWalker: análisis y medidas preventivas}}, date = {2020-04-08}, organization = {INCIBE-CERT}, url = {https://www.incibe-cert.es/blog/ransomware-netwalker-analisis-y-medidas-preventivas}, language = {Spanish}, urldate = {2020-04-14} } Ransomware NetWalker: análisis y medidas preventivas
Mailto
2020-04-08TrustwaveJoshua Deacon, Lloyd Macrohon
@online{deacon:20200408:indepth:c6628d7, author = {Joshua Deacon and Lloyd Macrohon}, title = {{An In-depth Look at MailTo Ransomware, Part Two of Three}}, date = {2020-04-08}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-two-of-three/}, language = {English}, urldate = {2020-04-14} } An In-depth Look at MailTo Ransomware, Part Two of Three
Mailto
2020-03-31TrustwaveJoshua Deacon, Lloyd Macrohon
@online{deacon:20200331:indepth:3719ebb, author = {Joshua Deacon and Lloyd Macrohon}, title = {{An In-depth Look at MailTo Ransomware, Part One of Three}}, date = {2020-03-31}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-one-of-three/}, language = {English}, urldate = {2020-04-14} } An In-depth Look at MailTo Ransomware, Part One of Three
Mailto
2020-03-21Bleeping ComputerLawrence Abrams
@online{abrams:20200321:netwalker:5d2936c, author = {Lawrence Abrams}, title = {{Netwalker Ransomware Infecting Users via Coronavirus Phishing}}, date = {2020-03-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/}, language = {English}, urldate = {2020-03-22} } Netwalker Ransomware Infecting Users via Coronavirus Phishing
Mailto
2020-02-05Bleeping ComputerLawrence Abrams
@online{abrams:20200205:mailto:3027008, author = {Lawrence Abrams}, title = {{Mailto (NetWalker) Ransomware Targets Enterprise Networks}}, date = {2020-02-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/}, language = {English}, urldate = {2020-02-11} } Mailto (NetWalker) Ransomware Targets Enterprise Networks
Mailto
2019-09-05ID RansomwareAndrew Ivanov
@online{ivanov:20190905:netwalker:902cacb, author = {Andrew Ivanov}, title = {{Netwalker Ransomware}}, date = {2019-09-05}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/09/koko-ransomware.html}, language = {Russian}, urldate = {2020-03-22} } Netwalker Ransomware
Mailto
Yara Rules
[TLP:WHITE] win_mailto_auto (20221125 | Detects win.mailto.)
rule win_mailto_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.mailto."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4b40 8a0407 88040b ff4340 837b4040 0f85a0010000 33f6 }
            // n = 7, score = 400
            //   8b4b40               | mov                 ecx, dword ptr [ebx + 0x40]
            //   8a0407               | mov                 al, byte ptr [edi + eax]
            //   88040b               | mov                 byte ptr [ebx + ecx], al
            //   ff4340               | inc                 dword ptr [ebx + 0x40]
            //   837b4040             | cmp                 dword ptr [ebx + 0x40], 0x40
            //   0f85a0010000         | jne                 0x1a6
            //   33f6                 | xor                 esi, esi

        $sequence_1 = { 53 e8???????? 83c404 5d 5b 8bc6 5e }
            // n = 7, score = 400
            //   53                   | push                ebx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   5d                   | pop                 ebp
            //   5b                   | pop                 ebx
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi

        $sequence_2 = { 83c004 660f1f440000 3930 740a 41 83c008 3bca }
            // n = 7, score = 400
            //   83c004               | add                 eax, 4
            //   660f1f440000         | nop                 word ptr [eax + eax]
            //   3930                 | cmp                 dword ptr [eax], esi
            //   740a                 | je                  0xc
            //   41                   | inc                 ecx
            //   83c008               | add                 eax, 8
            //   3bca                 | cmp                 ecx, edx

        $sequence_3 = { 8bf2 8bf8 56 57 51 ff742420 e8???????? }
            // n = 7, score = 400
            //   8bf2                 | mov                 esi, edx
            //   8bf8                 | mov                 edi, eax
            //   56                   | push                esi
            //   57                   | push                edi
            //   51                   | push                ecx
            //   ff742420             | push                dword ptr [esp + 0x20]
            //   e8????????           |                     

        $sequence_4 = { 8d842480000000 3bc3 7213 0f1f4000 8b048b 01448c44 41 }
            // n = 7, score = 400
            //   8d842480000000       | lea                 eax, [esp + 0x80]
            //   3bc3                 | cmp                 eax, ebx
            //   7213                 | jb                  0x15
            //   0f1f4000             | nop                 dword ptr [eax]
            //   8b048b               | mov                 eax, dword ptr [ebx + ecx*4]
            //   01448c44             | add                 dword ptr [esp + ecx*4 + 0x44], eax
            //   41                   | inc                 ecx

        $sequence_5 = { 8d4e1f 83c404 8d471f 3bf9 7724 3bc6 }
            // n = 6, score = 400
            //   8d4e1f               | lea                 ecx, [esi + 0x1f]
            //   83c404               | add                 esp, 4
            //   8d471f               | lea                 eax, [edi + 0x1f]
            //   3bf9                 | cmp                 edi, ecx
            //   7724                 | ja                  0x26
            //   3bc6                 | cmp                 eax, esi

        $sequence_6 = { 660fefc8 0f108414b4000000 0f110c17 0f104c28c0 660fefc8 }
            // n = 5, score = 400
            //   660fefc8             | pxor                xmm1, xmm0
            //   0f108414b4000000     | movups              xmm0, xmmword ptr [esp + edx + 0xb4]
            //   0f110c17             | movups              xmmword ptr [edi + edx], xmm1
            //   0f104c28c0           | movups              xmm1, xmmword ptr [eax + ebp - 0x40]
            //   660fefc8             | pxor                xmm1, xmm0

        $sequence_7 = { c744243c61006400 c74424402e006500 c744244478006500 6689442448 e8???????? 8bd8 83c404 }
            // n = 7, score = 400
            //   c744243c61006400     | mov                 dword ptr [esp + 0x3c], 0x640061
            //   c74424402e006500     | mov                 dword ptr [esp + 0x40], 0x65002e
            //   c744244478006500     | mov                 dword ptr [esp + 0x44], 0x650078
            //   6689442448           | mov                 word ptr [esp + 0x48], ax
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   83c404               | add                 esp, 4

        $sequence_8 = { 85f6 745f 681b040a7a 56 e8???????? 8b0d???????? 6850b21d58 }
            // n = 7, score = 400
            //   85f6                 | test                esi, esi
            //   745f                 | je                  0x61
            //   681b040a7a           | push                0x7a0a041b
            //   56                   | push                esi
            //   e8????????           |                     
            //   8b0d????????         |                     
            //   6850b21d58           | push                0x581db250

        $sequence_9 = { 8d8424b0000000 50 e8???????? 56 8d8424b8000000 50 }
            // n = 6, score = 400
            //   8d8424b0000000       | lea                 eax, [esp + 0xb0]
            //   50                   | push                eax
            //   e8????????           |                     
            //   56                   | push                esi
            //   8d8424b8000000       | lea                 eax, [esp + 0xb8]
            //   50                   | push                eax

    condition:
        7 of them and filesize < 180224
}
[TLP:WHITE] win_mailto_w0   (20210224 | Detects the Netwalker ransomware)
rule win_mailto_w0 { 
    meta: 
        copyright = "(c) 2020 Crowdstrike Inc." 
        author = "Crowdstrike"
        description = "Detects the Netwalker ransomware" 
        reports = "CSIT-20081" 
        source = "https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf"
        version = "202004281747" 
        last_modified = "2020-04-28" 
        malware_family = "Netwalker" 
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto"
        malpedia_rule_date = "20210224"
        malpedia_hash = ""
        malpedia_version = "20210224"
        malpedia_sharing = "TLP:WHITE"
    strings: 
        $salsaconst = "expand 32-byte kexpand 16-byte k" 
        $ins_getapi = {55 8b ec a1 ?? ?? ?? ?? 5d c3} 
        $ins_crc32 = {25 20 83 b8 ed 33 d0} 
        $ins_push1137 = {68 39 05 00 00 68 69 7a 00 00} 
        $ins_rc4 = {8b 45 ( e? | f? ) 83 c0 01 33 d2 b9 00 01 00 00 f7 f1 89 55} 
        $in_c25519 = {6a 00 68 41 db 01 00} 
    condition: 
        3 of them
}
[TLP:WHITE] win_mailto_w1   (20210224 | Detects the Netwalker ransomware)
rule win_mailto_w1 { 
    meta: 
        copyright = "(c) 2020 Crowdstrike Inc." 
        author = "Crowdstrike"
        description = "Detects the Netwalker ransomware" 
        reports = "CSIT-20081" 
        source = "https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf"
        version = "202004281748" 
        last_modified = "2020-04-28" 
        malware_family = "Netwalker" 
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto"
        malpedia_rule_date = "20210224"
        malpedia_hash = ""
        malpedia_version = "20210224"
        malpedia_sharing = "TLP:WHITE"
    strings: 
        $ = "namesz" fullword 
        $ = "crmask" fullword 
        $ = "idsz" fullword 
        $ = "lend" fullword 
        $ = "lfile" fullword 
        $ = "mpk" fullword 
        $ = "namesz" fullword 
        $ = "pspath" fullword 
        $ = "rwsz" fullword 
        $ = "spsz" fullword 
        $ = "svcwait" fullword 
        $ = "unlocker" fullword 
        $ = "onion1" fullword 
    condition: 10 of them
}
Download all Yara Rules