SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mailto (Back to overview)

Mailto

aka: Koko Ransomware, NetWalker

There is no description at this point.

References
2021-07-09The RecordCatalin Cimpanu
@online{cimpanu:20210709:ransomwhere:bd77fbe, author = {Catalin Cimpanu}, title = {{Ransomwhere project wants to create a database of past ransomware payments}}, date = {2021-07-09}, organization = {The Record}, url = {https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/}, language = {English}, urldate = {2021-07-20} } Ransomwhere project wants to create a database of past ransomware payments
Egregor Mailto Maze REvil
2021-06-10ZEIT OnlineVon Kai Biermann, Astrid Geisler, Herwig G. Höller, Karsten Polke-Majewski, Zachary Kamel
@online{biermann:20210610:trail:42969a8, author = {Von Kai Biermann and Astrid Geisler and Herwig G. Höller and Karsten Polke-Majewski and Zachary Kamel}, title = {{On the Trail of the Internet Extortionists}}, date = {2021-06-10}, organization = {ZEIT Online}, url = {https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers}, language = {English}, urldate = {2021-07-02} } On the Trail of the Internet Extortionists
Emotet Mailto
2021-05-26DeepInstinctRon Ben Yizhak
@online{yizhak:20210526:deep:c123a19, author = {Ron Ben Yizhak}, title = {{A Deep Dive into Packing Software CryptOne}}, date = {2021-05-26}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/}, language = {English}, urldate = {2021-06-22} } A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader
2021-05-18The RecordCatalin Cimpanu
@online{cimpanu:20210518:darkside:14b6690, author = {Catalin Cimpanu}, title = {{Darkside gang estimated to have made over $90 million from ransomware attacks}}, date = {2021-05-18}, organization = {The Record}, url = {https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/}, language = {English}, urldate = {2021-05-19} } Darkside gang estimated to have made over $90 million from ransomware attacks
DarkSide DarkSide Mailto Maze REvil Ryuk
2021-05-18Bleeping ComputerIonut Ilascu
@online{ilascu:20210518:darkside:d8e345b, author = {Ionut Ilascu}, title = {{DarkSide ransomware made $90 million in just nine months}}, date = {2021-05-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/}, language = {English}, urldate = {2021-06-07} } DarkSide ransomware made $90 million in just nine months
DarkSide DarkSide Egregor Gandcrab Mailto Maze REvil Ryuk
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-06Cyborg SecurityBrandon Denker
@online{denker:20210506:ransomware:a1f31df, author = {Brandon Denker}, title = {{Ransomware: Hunting for Inhibiting System Backup or Recovery}}, date = {2021-05-06}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/}, language = {English}, urldate = {2021-05-08} } Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2021-04-26CoveWareCoveWare
@online{coveware:20210426:ransomware:12586d5, author = {CoveWare}, title = {{Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound}}, date = {2021-04-26}, organization = {CoveWare}, url = {https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound}, language = {English}, urldate = {2021-05-13} } Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt
2021-04-12PTSecurityPTSecurity
@online{ptsecurity:20210412:paas:1d06836, author = {PTSecurity}, title = {{PaaS, or how hackers evade antivirus software}}, date = {2021-04-12}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/}, language = {English}, urldate = {2021-04-12} } PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zeppelin Ransomware Zloader
2021-03-17Palo Alto Networks Unit 42Unit42
@techreport{unit42:20210317:ransomware:504cc32, author = {Unit42}, title = {{Ransomware Threat Report 2021}}, date = {2021-03-17}, institution = {Palo Alto Networks Unit 42}, url = {https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf}, language = {English}, urldate = {2021-03-19} } Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker Zeppelin Ransomware
2021-03-05BlackberryCodi Starks, Kevin Finnigin
@online{starks:20210305:zerologon:efbc33c, author = {Codi Starks and Kevin Finnigin}, title = {{ZeroLogon to Ransomware}}, date = {2021-03-05}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/03/zerologon-to-ransomware}, language = {English}, urldate = {2021-03-11} } ZeroLogon to Ransomware
Mailto
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-17YouTube (AGDC Services)AGDC Services
@online{services:20210217:how:d492b9b, author = {AGDC Services}, title = {{How Malware Can Resolve APIs By Hash}}, date = {2021-02-17}, organization = {YouTube (AGDC Services)}, url = {https://www.youtube.com/watch?v=q8of74upT_g}, language = {English}, urldate = {2021-02-24} } How Malware Can Resolve APIs By Hash
Emotet Mailto
2021-02-16CybereasonTom Fakterman
@online{fakterman:20210216:cybereason:bc5074c, author = {Tom Fakterman}, title = {{Cybereason vs. NetWalker Ransomware}}, date = {2021-02-16}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-netwalker-ransomware}, language = {English}, urldate = {2021-02-20} } Cybereason vs. NetWalker Ransomware
Mailto
2021-02-11CTI LEAGUECTI LEAGUE
@techreport{league:20210211:ctil:69c2ab8, author = {CTI LEAGUE}, title = {{CTIL Darknet Report – 2021}}, date = {2021-02-11}, institution = {CTI LEAGUE}, url = {https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf}, language = {English}, urldate = {2021-02-20} } CTIL Darknet Report – 2021
Conti Mailto Maze REvil Ryuk
2021-02-11CrowdStrikeRadu Vlad
@online{vlad:20210211:press:b7ea157, author = {Radu Vlad}, title = {{Press #1 to Play: A Look Into eCrime Menu-style Toolkits}}, date = {2021-02-11}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/analysis-of-ecrime-menu-style-toolkits/}, language = {English}, urldate = {2021-02-20} } Press #1 to Play: A Look Into eCrime Menu-style Toolkits
Mailto CIRCUS SPIDER
2021-01-27Department of JusticeDepartment of Justice
@online{justice:20210127:indictment:5199031, author = {Department of Justice}, title = {{INDICTMENT of SEBASTIEN VACHON-DESJARDINS for using Netwalker ransomware to commit crime}}, date = {2021-01-27}, organization = {Department of Justice}, url = {https://www.justice.gov/usao-mdfl/press-release/file/1360846/download}, language = {English}, urldate = {2021-01-29} } INDICTMENT of SEBASTIEN VACHON-DESJARDINS for using Netwalker ransomware to commit crime
Mailto
2021-01-27Department of JusticeDepartment of Justice
@online{justice:20210127:department:ea07837, author = {Department of Justice}, title = {{Department of Justice Launches Global Action Against NetWalker Ransomware}}, date = {2021-01-27}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware}, language = {English}, urldate = {2021-01-29} } Department of Justice Launches Global Action Against NetWalker Ransomware
Mailto
2021-01-27KrebsOnSecurityBrian Krebs
@online{krebs:20210127:arrest:94e1e04, author = {Brian Krebs}, title = {{Arrest, Seizures Tied to Netwalker Ransomware}}, date = {2021-01-27}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/01/arrest-seizures-tied-to-netwalker-ransomware}, language = {English}, urldate = {2021-01-29} } Arrest, Seizures Tied to Netwalker Ransomware
Mailto
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-11-06Cert-AgIDIncident Reponse Team
@online{team:20201106:netwalker:a6c56fe, author = {Incident Reponse Team}, title = {{Netwalker Ransomware}}, date = {2020-11-06}, organization = {Cert-AgID}, url = {https://cert-agid.gov.it/news/netwalker-il-ransomware-che-ha-beffato-lintera-community/}, language = {Italian}, urldate = {2021-02-24} } Netwalker Ransomware
Mailto
2020-10-27Bleeping ComputerIonut Ilascu
@online{ilascu:20201027:enel:cd901d2, author = {Ionut Ilascu}, title = {{Enel Group hit by ransomware again, Netwalker demands $14 million}}, date = {2020-10-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million/}, language = {English}, urldate = {2020-10-29} } Enel Group hit by ransomware again, Netwalker demands $14 million
Mailto
2020-10-23HornetsecurityHornetsecurity Security Lab
@online{lab:20201023:leakwareransomwarehybrid:ae1de8e, author = {Hornetsecurity Security Lab}, title = {{Leakware-Ransomware-Hybrid Attacks}}, date = {2020-10-23}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/}, language = {English}, urldate = {2020-12-08} } Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt
2020-10-01KELAVictoria Kivilevich
@online{kivilevich:20201001:to:fd3aa09, author = {Victoria Kivilevich}, title = {{To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem}}, date = {2020-10-01}, organization = {KELA}, url = {https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/}, language = {English}, urldate = {2021-05-07} } To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem
Conti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt
2020-09-29PWC UKAndy Auld
@online{auld:20200929:whats:2782a62, author = {Andy Auld}, title = {{What's behind the increase in ransomware attacks this year?}}, date = {2020-09-29}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html}, language = {English}, urldate = {2021-05-25} } What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker
2020-09-29MicrosoftMicrosoft
@techreport{microsoft:20200929:microsoft:6e5d7b0, author = {Microsoft}, title = {{Microsoft Digital Defense Report}}, date = {2020-09-29}, institution = {Microsoft}, url = {https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf}, language = {English}, urldate = {2020-10-05} } Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot
2020-09-24Kaspersky LabsKaspersky Lab ICS CERT
@techreport{cert:20200924:threat:2d7986d, author = {Kaspersky Lab ICS CERT}, title = {{Threat landscape for industrial automation systems - H1 2020}}, date = {2020-09-24}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf}, language = {English}, urldate = {2020-10-04} } Threat landscape for industrial automation systems - H1 2020
Poet RAT Mailto Milum RagnarLocker REvil Ryuk Snake
2020-09-08Lopqto's AdventuresHamidreza Babaee
@online{babaee:20200908:automated:eb3272c, author = {Hamidreza Babaee}, title = {{Automated dynamic import resolving using binary emulation}}, date = {2020-09-08}, organization = {Lopqto's Adventures}, url = {https://lopqto.me/posts/automated-dynamic-import-resolving}, language = {English}, urldate = {2020-09-09} } Automated dynamic import resolving using binary emulation
Mailto
2020-09-03ZenGoTal Be'ery
@online{beery:20200903:bitcoin:932fb45, author = {Tal Be'ery}, title = {{The Bitcoin Ransomware Detective Strikes Again: The UCSF Case}}, date = {2020-09-03}, organization = {ZenGo}, url = {https://zengo.com/bitcoin-ransomware-detective-ucsf/}, language = {English}, urldate = {2020-09-06} } The Bitcoin Ransomware Detective Strikes Again: The UCSF Case
Mailto
2020-09-01Cisco TalosDavid Liebenberg, Caitlin Huey
@online{liebenberg:20200901:quarterly:c02962b, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends in Summer 2020}}, date = {2020-09-01}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html}, language = {English}, urldate = {2020-09-03} } Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk
2020-08-31The DFIR ReportThe DFIR Report
@online{report:20200831:netwalker:29a1511, author = {The DFIR Report}, title = {{NetWalker Ransomware in 1 Hour}}, date = {2020-08-31}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/}, language = {English}, urldate = {2020-08-31} } NetWalker Ransomware in 1 Hour
Cobalt Strike Mailto MimiKatz
2020-08-25KELAVictoria Kivilevich
@online{kivilevich:20200825:how:5db6a82, author = {Victoria Kivilevich}, title = {{How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing}}, date = {2020-08-25}, organization = {KELA}, url = {https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/}, language = {English}, urldate = {2021-05-07} } How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet
2020-08-03McAfeeATR Operational Intelligence Team
@online{team:20200803:take:74e0288, author = {ATR Operational Intelligence Team}, title = {{Take a “NetWalk” on the Wild Side}}, date = {2020-08-03}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/take-a-netwalk-on-the-wild-side/}, language = {English}, urldate = {2020-08-14} } Take a “NetWalk” on the Wild Side
Mailto
2020-08Temple UniversityCARE
@online{care:202008:critical:415c34d, author = {CARE}, title = {{Critical Infrastructure Ransomware Attacks}}, date = {2020-08}, organization = {Temple University}, url = {https://sites.temple.edu/care/ci-rw-attacks/}, language = {English}, urldate = {2020-09-15} } Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-07-28FBIFBI
@techreport{fbi:20200728:indicators:7dada00, author = {FBI}, title = {{Indicators Associated with Netwalker Ransomware}}, date = {2020-07-28}, institution = {FBI}, url = {https://www.ic3.gov/media/news/2020/200929-2.pdf}, language = {English}, urldate = {2020-10-05} } Indicators Associated with Netwalker Ransomware
Mailto
2020-06-26USCFUSCF
@online{uscf:20200626:update:6f5b3ca, author = {USCF}, title = {{Update on IT Security Incident at UCSF}}, date = {2020-06-26}, organization = {USCF}, url = {https://www.ucsf.edu/news/2020/06/417911/update-it-security-incident-ucsf}, language = {English}, urldate = {2020-08-18} } Update on IT Security Incident at UCSF
Mailto
2020-06-10CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200610:csit20081:a09522b, author = {CrowdStrike}, title = {{CSIT-20081 : Technical Analysis Of The Netwalker Ransomware}}, date = {2020-06-10}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf}, language = {English}, urldate = {2020-07-23} } CSIT-20081 : Technical Analysis Of The Netwalker Ransomware
Mailto CIRCUS SPIDER
2020-06-05Github (DanusMinimus)Dan Lisichkin
@online{lisichkin:20200605:zero2auto:ecc4713, author = {Dan Lisichkin}, title = {{Zero2Auto - Netwalker Walk through}}, date = {2020-06-05}, organization = {Github (DanusMinimus)}, url = {https://danusminimus.github.io/Zero2Auto-Netwalker-Walkthrough/}, language = {English}, urldate = {2020-06-08} } Zero2Auto - Netwalker Walk through
Mailto
2020-05-28BleepingComputerIonut Ilascu
@online{ilascu:20200528:michigan:a52712f, author = {Ionut Ilascu}, title = {{Michigan State University network breached in ransomware attack}}, date = {2020-05-28}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/michigan-state-university-network-breached-in-ransomware-attack/}, language = {English}, urldate = {2020-05-29} } Michigan State University network breached in ransomware attack
Mailto
2020-05-27SophosLabsGabor Szappanos, Andrew Brandt
@online{szappanos:20200527:netwalker:941731e, author = {Gabor Szappanos and Andrew Brandt}, title = {{Netwalker ransomware tools give insight into threat actor}}, date = {2020-05-27}, organization = {SophosLabs}, url = {https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/}, language = {English}, urldate = {2020-05-29} } Netwalker ransomware tools give insight into threat actor
Mailto
2020-05-19Advanced IntelligenceAdvanced Intelligence, Bridgit Sullivan, Daniel Frey
@online{intelligence:20200519:netwalker:4681272, author = {Advanced Intelligence and Bridgit Sullivan and Daniel Frey}, title = {{NetWalker Ransomware Group Enters Advanced Targeting “Game”}}, date = {2020-05-19}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/netwalker-ransomware-group-enters-advanced-targeting-game}, language = {English}, urldate = {2020-05-23} } NetWalker Ransomware Group Enters Advanced Targeting “Game”
Mailto
2020-05-19zero2autoVitali Kremez
@online{kremez:20200519:netwalker:7ad1e7c, author = {Vitali Kremez}, title = {{Netwalker Ransomware - From Static Reverse Engineering to Automatic Extraction}}, date = {2020-05-19}, organization = {zero2auto}, url = {https://zero2auto.com/2020/05/19/netwalker-re/}, language = {English}, urldate = {2020-06-02} } Netwalker Ransomware - From Static Reverse Engineering to Automatic Extraction
Mailto
2020-05-18Trend MicroKaren Victor
@online{victor:20200518:netwalker:91f6d65, author = {Karen Victor}, title = {{Netwalker Fileless Ransomware Injected via Reflective Loading}}, date = {2020-05-18}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/}, language = {English}, urldate = {2020-05-20} } Netwalker Fileless Ransomware Injected via Reflective Loading
Mailto
2020-05-14tccontre Blogtcontre
@online{tcontre:20200514:netwalker:eabf178, author = {tcontre}, title = {{Netwalker Ransomware: [API Call Obfuscation (using Structure) and Evading Memory Forensic]}}, date = {2020-05-14}, organization = {tccontre Blog}, url = {https://tccontre.blogspot.com/2020/05/netwalker-ransomware-api-call.html}, language = {English}, urldate = {2020-05-19} } Netwalker Ransomware: [API Call Obfuscation (using Structure) and Evading Memory Forensic]
Mailto
2020-04-28MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200428:ransomware:3205f3a, author = {Microsoft Threat Protection Intelligence Team}, title = {{Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk}}, date = {2020-04-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/}, language = {English}, urldate = {2020-05-05} } Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise RagnarLocker REvil RobinHood
2020-04-10TrustwaveJoshua Deacon, Lloyd Macrohon
@online{deacon:20200410:indepth:13fc66f, author = {Joshua Deacon and Lloyd Macrohon}, title = {{An In-depth Look at MailTo Ransomware, Part Three of Three}}, date = {2020-04-10}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-three-of-three/}, language = {English}, urldate = {2020-04-14} } An In-depth Look at MailTo Ransomware, Part Three of Three
Mailto
2020-04-08TrustwaveJoshua Deacon, Lloyd Macrohon
@online{deacon:20200408:indepth:c6628d7, author = {Joshua Deacon and Lloyd Macrohon}, title = {{An In-depth Look at MailTo Ransomware, Part Two of Three}}, date = {2020-04-08}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-two-of-three/}, language = {English}, urldate = {2020-04-14} } An In-depth Look at MailTo Ransomware, Part Two of Three
Mailto
2020-04-08INCIBE-CERTINCIBE
@online{incibe:20200408:ransomware:61b8c41, author = {INCIBE}, title = {{Ransomware NetWalker: análisis y medidas preventivas}}, date = {2020-04-08}, organization = {INCIBE-CERT}, url = {https://www.incibe-cert.es/blog/ransomware-netwalker-analisis-y-medidas-preventivas}, language = {Spanish}, urldate = {2020-04-14} } Ransomware NetWalker: análisis y medidas preventivas
Mailto
2020-03-31TrustwaveJoshua Deacon, Lloyd Macrohon
@online{deacon:20200331:indepth:3719ebb, author = {Joshua Deacon and Lloyd Macrohon}, title = {{An In-depth Look at MailTo Ransomware, Part One of Three}}, date = {2020-03-31}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-one-of-three/}, language = {English}, urldate = {2020-04-14} } An In-depth Look at MailTo Ransomware, Part One of Three
Mailto
2020-03-21Bleeping ComputerLawrence Abrams
@online{abrams:20200321:netwalker:5d2936c, author = {Lawrence Abrams}, title = {{Netwalker Ransomware Infecting Users via Coronavirus Phishing}}, date = {2020-03-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/}, language = {English}, urldate = {2020-03-22} } Netwalker Ransomware Infecting Users via Coronavirus Phishing
Mailto
2020-02-05Bleeping ComputerLawrence Abrams
@online{abrams:20200205:mailto:3027008, author = {Lawrence Abrams}, title = {{Mailto (NetWalker) Ransomware Targets Enterprise Networks}}, date = {2020-02-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/}, language = {English}, urldate = {2020-02-11} } Mailto (NetWalker) Ransomware Targets Enterprise Networks
Mailto
2019-09-05ID RansomwareAndrew Ivanov
@online{ivanov:20190905:netwalker:902cacb, author = {Andrew Ivanov}, title = {{Netwalker Ransomware}}, date = {2019-09-05}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/09/koko-ransomware.html}, language = {Russian}, urldate = {2020-03-22} } Netwalker Ransomware
Mailto
Yara Rules
[TLP:WHITE] win_mailto_auto (20210616 | Detects win.mailto.)
rule win_mailto_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.mailto."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b7c2410 c1f81a c1f91f 23c8 8bc1 c1e01a 2bf8 }
            // n = 7, score = 400
            //   8b7c2410             | mov                 edi, dword ptr [esp + 0x10]
            //   c1f81a               | sar                 eax, 0x1a
            //   c1f91f               | sar                 ecx, 0x1f
            //   23c8                 | and                 ecx, eax
            //   8bc1                 | mov                 eax, ecx
            //   c1e01a               | shl                 eax, 0x1a
            //   2bf8                 | sub                 edi, eax

        $sequence_1 = { 03c0 50 56 55 e8???????? 8b742430 }
            // n = 6, score = 400
            //   03c0                 | add                 eax, eax
            //   50                   | push                eax
            //   56                   | push                esi
            //   55                   | push                ebp
            //   e8????????           |                     
            //   8b742430             | mov                 esi, dword ptr [esp + 0x30]

        $sequence_2 = { 85ed 7ea4 660f1f440000 803c1e2e 7576 56 e8???????? }
            // n = 7, score = 400
            //   85ed                 | test                ebp, ebp
            //   7ea4                 | jle                 0xffffffa6
            //   660f1f440000         | nop                 word ptr [eax + eax]
            //   803c1e2e             | cmp                 byte ptr [esi + ebx], 0x2e
            //   7576                 | jne                 0x78
            //   56                   | push                esi
            //   e8????????           |                     

        $sequence_3 = { 8b0d???????? 689bb6a77a 56 89414c e8???????? 8b0d???????? }
            // n = 6, score = 400
            //   8b0d????????         |                     
            //   689bb6a77a           | push                0x7aa7b69b
            //   56                   | push                esi
            //   89414c               | mov                 dword ptr [ecx + 0x4c], eax
            //   e8????????           |                     
            //   8b0d????????         |                     

        $sequence_4 = { 8d442428 c744242000000000 50 8d442430 c744243000000000 50 8d442428 }
            // n = 7, score = 400
            //   8d442428             | lea                 eax, dword ptr [esp + 0x28]
            //   c744242000000000     | mov                 dword ptr [esp + 0x20], 0
            //   50                   | push                eax
            //   8d442430             | lea                 eax, dword ptr [esp + 0x30]
            //   c744243000000000     | mov                 dword ptr [esp + 0x30], 0
            //   50                   | push                eax
            //   8d442428             | lea                 eax, dword ptr [esp + 0x28]

        $sequence_5 = { 56 8b742414 57 8b7c2410 f7de 8b0b }
            // n = 6, score = 400
            //   56                   | push                esi
            //   8b742414             | mov                 esi, dword ptr [esp + 0x14]
            //   57                   | push                edi
            //   8b7c2410             | mov                 edi, dword ptr [esp + 0x10]
            //   f7de                 | neg                 esi
            //   8b0b                 | mov                 ecx, dword ptr [ebx]

        $sequence_6 = { 8b742470 0f104330 89742414 8b742464 0f11442474 }
            // n = 5, score = 400
            //   8b742470             | mov                 esi, dword ptr [esp + 0x70]
            //   0f104330             | movups              xmm0, xmmword ptr [ebx + 0x30]
            //   89742414             | mov                 dword ptr [esp + 0x14], esi
            //   8b742464             | mov                 esi, dword ptr [esp + 0x64]
            //   0f11442474           | movups              xmmword ptr [esp + 0x74], xmm0

        $sequence_7 = { 8d842470010000 50 e8???????? 8d842474010000 50 e8???????? 6a50 }
            // n = 7, score = 400
            //   8d842470010000       | lea                 eax, dword ptr [esp + 0x170]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d842474010000       | lea                 eax, dword ptr [esp + 0x174]
            //   50                   | push                eax
            //   e8????????           |                     
            //   6a50                 | push                0x50

        $sequence_8 = { 8d2c8d00000000 23e9 8b4c2430 81f1ffffff03 f7d1 8bc1 8bdd }
            // n = 7, score = 400
            //   8d2c8d00000000       | lea                 ebp, dword ptr [ecx*4]
            //   23e9                 | and                 ebp, ecx
            //   8b4c2430             | mov                 ecx, dword ptr [esp + 0x30]
            //   81f1ffffff03         | xor                 ecx, 0x3ffffff
            //   f7d1                 | not                 ecx
            //   8bc1                 | mov                 eax, ecx
            //   8bdd                 | mov                 ebx, ebp

        $sequence_9 = { 0f84ef000000 6a20 e8???????? 83c404 89442410 85c0 }
            // n = 6, score = 400
            //   0f84ef000000         | je                  0xf5
            //   6a20                 | push                0x20
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   85c0                 | test                eax, eax

    condition:
        7 of them and filesize < 180224
}
[TLP:WHITE] win_mailto_w0   (20210224 | Detects the Netwalker ransomware)
rule win_mailto_w0 { 
    meta: 
        copyright = "(c) 2020 Crowdstrike Inc." 
        description = "Detects the Netwalker ransomware" 
        reports = "CSIT-20081" 
        source = "https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf"
        version = "202004281747" 
        last_modified = "2020-04-28" 
        malware_family = "Netwalker" 
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto"
        malpedia_rule_date = "20210224"
        malpedia_hash = ""
        malpedia_version = "20210224"
        malpedia_sharing = "TLP:WHITE"
    strings: 
        $salsaconst = "expand 32-byte kexpand 16-byte k" 
        $ins_getapi = {55 8b ec a1 ?? ?? ?? ?? 5d c3} 
        $ins_crc32 = {25 20 83 b8 ed 33 d0} 
        $ins_push1137 = {68 39 05 00 00 68 69 7a 00 00} 
        $ins_rc4 = {8b 45 ( e? | f? ) 83 c0 01 33 d2 b9 00 01 00 00 f7 f1 89 55} 
        $in_c25519 = {6a 00 68 41 db 01 00} 
    condition: 
        3 of them
}
[TLP:WHITE] win_mailto_w1   (20210224 | Detects the Netwalker ransomware)
rule win_mailto_w1 { 
    meta: 
        copyright = "(c) 2020 Crowdstrike Inc." 
        description = "Detects the Netwalker ransomware" 
        reports = "CSIT-20081" 
        source = "https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf"
        version = "202004281748" 
        last_modified = "2020-04-28" 
        malware_family = "Netwalker" 
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto"
        malpedia_rule_date = "20210224"
        malpedia_hash = ""
        malpedia_version = "20210224"
        malpedia_sharing = "TLP:WHITE"
    strings: 
        $ = "namesz" fullword 
        $ = "crmask" fullword 
        $ = "idsz" fullword 
        $ = "lend" fullword 
        $ = "lfile" fullword 
        $ = "mpk" fullword 
        $ = "namesz" fullword 
        $ = "pspath" fullword 
        $ = "rwsz" fullword 
        $ = "spsz" fullword 
        $ = "svcwait" fullword 
        $ = "unlocker" fullword 
        $ = "onion1" fullword 
    condition: 10 of them
}
Download all Yara Rules