SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mailto (Back to overview)

Mailto

aka: Koko Ransomware, NetWalker

There is no description at this point.

References
2022-03-31TrellixJohn Fokker, Jambul Tologonov
@online{fokker:20220331:conti:3bc2974, author = {John Fokker and Jambul Tologonov}, title = {{Conti Leaks: Examining the Panama Papers of Ransomware}}, date = {2022-03-31}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html}, language = {English}, urldate = {2022-04-07} } Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2022-02-11Github (0x00-0x7f)Sadia Bashir
@online{bashir:20220211:netwalker:7459a58, author = {Sadia Bashir}, title = {{Netwalker: from Powershell reflective loader to injected dll}}, date = {2022-02-11}, organization = {Github (0x00-0x7f)}, url = {https://0x00-0x7f.github.io/Netwalker-from-Powershell-reflective-loader-to-injected-Dll/}, language = {English}, urldate = {2022-02-18} } Netwalker: from Powershell reflective loader to injected dll
Mailto
2022-02-08Bleeping ComputerSergiu Gatlan
@online{gatlan:20220208:netwalker:716341a, author = {Sergiu Gatlan}, title = {{NetWalker ransomware affiliate sentenced to 80 months in prison}}, date = {2022-02-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/netwalker-ransomware-affiliate-sentenced-to-80-months-in-prison/}, language = {English}, urldate = {2022-02-09} } NetWalker ransomware affiliate sentenced to 80 months in prison
Mailto
2022-02-08FBIFBI
@techreport{fbi:20220208:statement:ad399bc, author = {FBI}, title = {{Statement of Facts Supporting the Provisional Arrest of Sebastien Vachon-Desiardins}}, date = {2022-02-08}, institution = {FBI}, url = {https://s3.documentcloud.org/documents/21199896/vachon-desjardins-court-docs.pdf}, language = {English}, urldate = {2022-02-09} } Statement of Facts Supporting the Provisional Arrest of Sebastien Vachon-Desiardins
Mailto
2021-10-12CrowdStrikeCrowdStrike Intelligence Team
@online{team:20211012:ecx:5540ee9, author = {CrowdStrike Intelligence Team}, title = {{ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity}}, date = {2021-10-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/}, language = {English}, urldate = {2021-11-02} } ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity
Babuk BlackMatter DarkSide REvil Avaddon Babuk BlackMatter DarkSide LockBit Mailto REvil
2021-09-03Seguranca InformaticaPedro Tavares
@online{tavares:20210903:netwalker:34fcda6, author = {Pedro Tavares}, title = {{Netwalker ransomware full analysis}}, date = {2021-09-03}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/netwalker-ransomware-full-analysis/}, language = {English}, urldate = {2021-09-12} } Netwalker ransomware full analysis
Mailto
2021-07-09The RecordCatalin Cimpanu
@online{cimpanu:20210709:ransomwhere:bd77fbe, author = {Catalin Cimpanu}, title = {{Ransomwhere project wants to create a database of past ransomware payments}}, date = {2021-07-09}, organization = {The Record}, url = {https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/}, language = {English}, urldate = {2021-07-20} } Ransomwhere project wants to create a database of past ransomware payments
Egregor Mailto Maze REvil
2021-06-10ZEIT OnlineVon Kai Biermann, Astrid Geisler, Herwig G. Höller, Karsten Polke-Majewski, Zachary Kamel
@online{biermann:20210610:trail:42969a8, author = {Von Kai Biermann and Astrid Geisler and Herwig G. Höller and Karsten Polke-Majewski and Zachary Kamel}, title = {{On the Trail of the Internet Extortionists}}, date = {2021-06-10}, organization = {ZEIT Online}, url = {https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers}, language = {English}, urldate = {2021-07-02} } On the Trail of the Internet Extortionists
Emotet Mailto
2021-05-26DeepInstinctRon Ben Yizhak
@online{yizhak:20210526:deep:c123a19, author = {Ron Ben Yizhak}, title = {{A Deep Dive into Packing Software CryptOne}}, date = {2021-05-26}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/}, language = {English}, urldate = {2021-06-22} } A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader
2021-05-18Bleeping ComputerIonut Ilascu
@online{ilascu:20210518:darkside:d8e345b, author = {Ionut Ilascu}, title = {{DarkSide ransomware made $90 million in just nine months}}, date = {2021-05-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/}, language = {English}, urldate = {2021-06-07} } DarkSide ransomware made $90 million in just nine months
DarkSide DarkSide Egregor Gandcrab Mailto Maze REvil Ryuk
2021-05-18The RecordCatalin Cimpanu
@online{cimpanu:20210518:darkside:14b6690, author = {Catalin Cimpanu}, title = {{Darkside gang estimated to have made over $90 million from ransomware attacks}}, date = {2021-05-18}, organization = {The Record}, url = {https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/}, language = {English}, urldate = {2021-05-19} } Darkside gang estimated to have made over $90 million from ransomware attacks
DarkSide DarkSide Mailto Maze REvil Ryuk
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-06Cyborg SecurityBrandon Denker
@online{denker:20210506:ransomware:a1f31df, author = {Brandon Denker}, title = {{Ransomware: Hunting for Inhibiting System Backup or Recovery}}, date = {2021-05-06}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/}, language = {English}, urldate = {2021-05-08} } Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2021-04-26CoveWareCoveWare
@online{coveware:20210426:ransomware:12586d5, author = {CoveWare}, title = {{Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound}}, date = {2021-04-26}, organization = {CoveWare}, url = {https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound}, language = {English}, urldate = {2021-05-13} } Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt
2021-04-12PTSecurityPTSecurity
@online{ptsecurity:20210412:paas:1d06836, author = {PTSecurity}, title = {{PaaS, or how hackers evade antivirus software}}, date = {2021-04-12}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/}, language = {English}, urldate = {2021-04-12} } PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader
2021-03-17Palo Alto Networks Unit 42Unit42
@techreport{unit42:20210317:ransomware:504cc32, author = {Unit42}, title = {{Ransomware Threat Report 2021}}, date = {2021-03-17}, institution = {Palo Alto Networks Unit 42}, url = {https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf}, language = {English}, urldate = {2021-03-19} } Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker
2021-03-05BlackberryCodi Starks, Kevin Finnigin
@online{starks:20210305:zerologon:efbc33c, author = {Codi Starks and Kevin Finnigin}, title = {{ZeroLogon to Ransomware}}, date = {2021-03-05}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/03/zerologon-to-ransomware}, language = {English}, urldate = {2021-03-11} } ZeroLogon to Ransomware
Mailto
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-17YouTube (AGDC Services)AGDC Services
@online{services:20210217:how:d492b9b, author = {AGDC Services}, title = {{How Malware Can Resolve APIs By Hash}}, date = {2021-02-17}, organization = {YouTube (AGDC Services)}, url = {https://www.youtube.com/watch?v=q8of74upT_g}, language = {English}, urldate = {2021-02-24} } How Malware Can Resolve APIs By Hash
Emotet Mailto
2021-02-16CybereasonTom Fakterman
@online{fakterman:20210216:cybereason:bc5074c, author = {Tom Fakterman}, title = {{Cybereason vs. NetWalker Ransomware}}, date = {2021-02-16}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-netwalker-ransomware}, language = {English}, urldate = {2021-02-20} } Cybereason vs. NetWalker Ransomware
Mailto
2021-02-11CrowdStrikeRadu Vlad
@online{vlad:20210211:press:b7ea157, author = {Radu Vlad}, title = {{Press #1 to Play: A Look Into eCrime Menu-style Toolkits}}, date = {2021-02-11}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/analysis-of-ecrime-menu-style-toolkits/}, language = {English}, urldate = {2021-02-20} } Press #1 to Play: A Look Into eCrime Menu-style Toolkits
Mailto CIRCUS SPIDER
2021-02-11CTI LEAGUECTI LEAGUE
@techreport{league:20210211:ctil:69c2ab8, author = {CTI LEAGUE}, title = {{CTIL Darknet Report – 2021}}, date = {2021-02-11}, institution = {CTI LEAGUE}, url = {https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf}, language = {English}, urldate = {2021-02-20} } CTIL Darknet Report – 2021
Conti Mailto Maze REvil Ryuk
2021-01-27Department of JusticeDepartment of Justice
@online{justice:20210127:department:ea07837, author = {Department of Justice}, title = {{Department of Justice Launches Global Action Against NetWalker Ransomware}}, date = {2021-01-27}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware}, language = {English}, urldate = {2021-01-29} } Department of Justice Launches Global Action Against NetWalker Ransomware
Mailto
2021-01-27Department of JusticeDepartment of Justice
@online{justice:20210127:indictment:5199031, author = {Department of Justice}, title = {{INDICTMENT of SEBASTIEN VACHON-DESJARDINS for using Netwalker ransomware to commit crime}}, date = {2021-01-27}, organization = {Department of Justice}, url = {https://www.justice.gov/usao-mdfl/press-release/file/1360846/download}, language = {English}, urldate = {2021-01-29} } INDICTMENT of SEBASTIEN VACHON-DESJARDINS for using Netwalker ransomware to commit crime
Mailto
2021-01-27KrebsOnSecurityBrian Krebs
@online{krebs:20210127:arrest:94e1e04, author = {Brian Krebs}, title = {{Arrest, Seizures Tied to Netwalker Ransomware}}, date = {2021-01-27}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/01/arrest-seizures-tied-to-netwalker-ransomware}, language = {English}, urldate = {2021-01-29} } Arrest, Seizures Tied to Netwalker Ransomware
Mailto
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-11-06Cert-AgIDIncident Reponse Team
@online{team:20201106:netwalker:a6c56fe, author = {Incident Reponse Team}, title = {{Netwalker Ransomware}}, date = {2020-11-06}, organization = {Cert-AgID}, url = {https://cert-agid.gov.it/news/netwalker-il-ransomware-che-ha-beffato-lintera-community/}, language = {Italian}, urldate = {2021-02-24} } Netwalker Ransomware
Mailto
2020-10-27Bleeping ComputerIonut Ilascu
@online{ilascu:20201027:enel:cd901d2, author = {Ionut Ilascu}, title = {{Enel Group hit by ransomware again, Netwalker demands $14 million}}, date = {2020-10-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million/}, language = {English}, urldate = {2020-10-29} } Enel Group hit by ransomware again, Netwalker demands $14 million
Mailto
2020-10-23HornetsecurityHornetsecurity Security Lab
@online{lab:20201023:leakwareransomwarehybrid:ae1de8e, author = {Hornetsecurity Security Lab}, title = {{Leakware-Ransomware-Hybrid Attacks}}, date = {2020-10-23}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/}, language = {English}, urldate = {2020-12-08} } Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt
2020-10-01KELAVictoria Kivilevich
@online{kivilevich:20201001:to:fd3aa09, author = {Victoria Kivilevich}, title = {{To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem}}, date = {2020-10-01}, organization = {KELA}, url = {https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/}, language = {English}, urldate = {2021-05-07} } To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem
Conti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt
2020-09-29MicrosoftMicrosoft
@techreport{microsoft:20200929:microsoft:6e5d7b0, author = {Microsoft}, title = {{Microsoft Digital Defense Report}}, date = {2020-09-29}, institution = {Microsoft}, url = {https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf}, language = {English}, urldate = {2020-10-05} } Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot
2020-09-29PWC UKAndy Auld
@online{auld:20200929:whats:2782a62, author = {Andy Auld}, title = {{What's behind the increase in ransomware attacks this year?}}, date = {2020-09-29}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html}, language = {English}, urldate = {2021-05-25} } What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker
2020-09-24Kaspersky LabsKaspersky Lab ICS CERT
@techreport{cert:20200924:threat:2d7986d, author = {Kaspersky Lab ICS CERT}, title = {{Threat landscape for industrial automation systems - H1 2020}}, date = {2020-09-24}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf}, language = {English}, urldate = {2020-10-04} } Threat landscape for industrial automation systems - H1 2020
Poet RAT Mailto Milum RagnarLocker REvil Ryuk Snake
2020-09-08Lopqto's AdventuresHamidreza Babaee
@online{babaee:20200908:automated:eb3272c, author = {Hamidreza Babaee}, title = {{Automated dynamic import resolving using binary emulation}}, date = {2020-09-08}, organization = {Lopqto's Adventures}, url = {https://lopqto.me/posts/automated-dynamic-import-resolving}, language = {English}, urldate = {2020-09-09} } Automated dynamic import resolving using binary emulation
Mailto
2020-09-03ZenGoTal Be'ery
@online{beery:20200903:bitcoin:932fb45, author = {Tal Be'ery}, title = {{The Bitcoin Ransomware Detective Strikes Again: The UCSF Case}}, date = {2020-09-03}, organization = {ZenGo}, url = {https://zengo.com/bitcoin-ransomware-detective-ucsf/}, language = {English}, urldate = {2020-09-06} } The Bitcoin Ransomware Detective Strikes Again: The UCSF Case
Mailto
2020-09-01Cisco TalosDavid Liebenberg, Caitlin Huey
@online{liebenberg:20200901:quarterly:c02962b, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends in Summer 2020}}, date = {2020-09-01}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html}, language = {English}, urldate = {2020-09-03} } Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk
2020-08-31The DFIR ReportThe DFIR Report
@online{report:20200831:netwalker:29a1511, author = {The DFIR Report}, title = {{NetWalker Ransomware in 1 Hour}}, date = {2020-08-31}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/}, language = {English}, urldate = {2020-08-31} } NetWalker Ransomware in 1 Hour
Cobalt Strike Mailto MimiKatz
2020-08-25KELAVictoria Kivilevich
@online{kivilevich:20200825:how:5db6a82, author = {Victoria Kivilevich}, title = {{How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing}}, date = {2020-08-25}, organization = {KELA}, url = {https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/}, language = {English}, urldate = {2021-05-07} } How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet
2020-08-03McAfeeATR Operational Intelligence Team
@online{team:20200803:take:74e0288, author = {ATR Operational Intelligence Team}, title = {{Take a “NetWalk” on the Wild Side}}, date = {2020-08-03}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/take-a-netwalk-on-the-wild-side/}, language = {English}, urldate = {2020-08-14} } Take a “NetWalk” on the Wild Side
Mailto
2020-08Temple UniversityCARE
@online{care:202008:critical:415c34d, author = {CARE}, title = {{Critical Infrastructure Ransomware Attacks}}, date = {2020-08}, organization = {Temple University}, url = {https://sites.temple.edu/care/ci-rw-attacks/}, language = {English}, urldate = {2020-09-15} } Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-07-28FBIFBI
@techreport{fbi:20200728:indicators:7dada00, author = {FBI}, title = {{Indicators Associated with Netwalker Ransomware}}, date = {2020-07-28}, institution = {FBI}, url = {https://www.ic3.gov/media/news/2020/200929-2.pdf}, language = {English}, urldate = {2020-10-05} } Indicators Associated with Netwalker Ransomware
Mailto
2020-06-26USCFUSCF
@online{uscf:20200626:update:6f5b3ca, author = {USCF}, title = {{Update on IT Security Incident at UCSF}}, date = {2020-06-26}, organization = {USCF}, url = {https://www.ucsf.edu/news/2020/06/417911/update-it-security-incident-ucsf}, language = {English}, urldate = {2020-08-18} } Update on IT Security Incident at UCSF
Mailto
2020-06-10CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200610:csit20081:a09522b, author = {CrowdStrike}, title = {{CSIT-20081 : Technical Analysis Of The Netwalker Ransomware}}, date = {2020-06-10}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf}, language = {English}, urldate = {2020-07-23} } CSIT-20081 : Technical Analysis Of The Netwalker Ransomware
Mailto CIRCUS SPIDER
2020-06-05Github (DanusMinimus)Dan Lisichkin
@online{lisichkin:20200605:zero2auto:ecc4713, author = {Dan Lisichkin}, title = {{Zero2Auto - Netwalker Walk through}}, date = {2020-06-05}, organization = {Github (DanusMinimus)}, url = {https://danusminimus.github.io/Zero2Auto-Netwalker-Walkthrough/}, language = {English}, urldate = {2020-06-08} } Zero2Auto - Netwalker Walk through
Mailto
2020-05-28BleepingComputerIonut Ilascu
@online{ilascu:20200528:michigan:a52712f, author = {Ionut Ilascu}, title = {{Michigan State University network breached in ransomware attack}}, date = {2020-05-28}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/michigan-state-university-network-breached-in-ransomware-attack/}, language = {English}, urldate = {2020-05-29} } Michigan State University network breached in ransomware attack
Mailto
2020-05-27SophosLabsGabor Szappanos, Andrew Brandt
@online{szappanos:20200527:netwalker:941731e, author = {Gabor Szappanos and Andrew Brandt}, title = {{Netwalker ransomware tools give insight into threat actor}}, date = {2020-05-27}, organization = {SophosLabs}, url = {https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/}, language = {English}, urldate = {2020-05-29} } Netwalker ransomware tools give insight into threat actor
Mailto
2020-05-19zero2autoVitali Kremez
@online{kremez:20200519:netwalker:7ad1e7c, author = {Vitali Kremez}, title = {{Netwalker Ransomware - From Static Reverse Engineering to Automatic Extraction}}, date = {2020-05-19}, organization = {zero2auto}, url = {https://zero2auto.com/2020/05/19/netwalker-re/}, language = {English}, urldate = {2020-06-02} } Netwalker Ransomware - From Static Reverse Engineering to Automatic Extraction
Mailto
2020-05-19Advanced IntelligenceAdvanced Intelligence, Bridgit Sullivan, Daniel Frey
@online{intelligence:20200519:netwalker:4681272, author = {Advanced Intelligence and Bridgit Sullivan and Daniel Frey}, title = {{NetWalker Ransomware Group Enters Advanced Targeting “Game”}}, date = {2020-05-19}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/netwalker-ransomware-group-enters-advanced-targeting-game}, language = {English}, urldate = {2020-05-23} } NetWalker Ransomware Group Enters Advanced Targeting “Game”
Mailto
2020-05-18Trend MicroKaren Victor
@online{victor:20200518:netwalker:91f6d65, author = {Karen Victor}, title = {{Netwalker Fileless Ransomware Injected via Reflective Loading}}, date = {2020-05-18}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/}, language = {English}, urldate = {2020-05-20} } Netwalker Fileless Ransomware Injected via Reflective Loading
Mailto
2020-05-14tccontre Blogtcontre
@online{tcontre:20200514:netwalker:eabf178, author = {tcontre}, title = {{Netwalker Ransomware: [API Call Obfuscation (using Structure) and Evading Memory Forensic]}}, date = {2020-05-14}, organization = {tccontre Blog}, url = {https://tccontre.blogspot.com/2020/05/netwalker-ransomware-api-call.html}, language = {English}, urldate = {2020-05-19} } Netwalker Ransomware: [API Call Obfuscation (using Structure) and Evading Memory Forensic]
Mailto
2020-04-28MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200428:ransomware:3205f3a, author = {Microsoft Threat Protection Intelligence Team}, title = {{Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk}}, date = {2020-04-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/}, language = {English}, urldate = {2020-05-05} } Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise RagnarLocker REvil RobinHood
2020-04-10TrustwaveJoshua Deacon, Lloyd Macrohon
@online{deacon:20200410:indepth:13fc66f, author = {Joshua Deacon and Lloyd Macrohon}, title = {{An In-depth Look at MailTo Ransomware, Part Three of Three}}, date = {2020-04-10}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-three-of-three/}, language = {English}, urldate = {2020-04-14} } An In-depth Look at MailTo Ransomware, Part Three of Three
Mailto
2020-04-08INCIBE-CERTINCIBE
@online{incibe:20200408:ransomware:61b8c41, author = {INCIBE}, title = {{Ransomware NetWalker: análisis y medidas preventivas}}, date = {2020-04-08}, organization = {INCIBE-CERT}, url = {https://www.incibe-cert.es/blog/ransomware-netwalker-analisis-y-medidas-preventivas}, language = {Spanish}, urldate = {2020-04-14} } Ransomware NetWalker: análisis y medidas preventivas
Mailto
2020-04-08TrustwaveJoshua Deacon, Lloyd Macrohon
@online{deacon:20200408:indepth:c6628d7, author = {Joshua Deacon and Lloyd Macrohon}, title = {{An In-depth Look at MailTo Ransomware, Part Two of Three}}, date = {2020-04-08}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-two-of-three/}, language = {English}, urldate = {2020-04-14} } An In-depth Look at MailTo Ransomware, Part Two of Three
Mailto
2020-03-31TrustwaveJoshua Deacon, Lloyd Macrohon
@online{deacon:20200331:indepth:3719ebb, author = {Joshua Deacon and Lloyd Macrohon}, title = {{An In-depth Look at MailTo Ransomware, Part One of Three}}, date = {2020-03-31}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-one-of-three/}, language = {English}, urldate = {2020-04-14} } An In-depth Look at MailTo Ransomware, Part One of Three
Mailto
2020-03-21Bleeping ComputerLawrence Abrams
@online{abrams:20200321:netwalker:5d2936c, author = {Lawrence Abrams}, title = {{Netwalker Ransomware Infecting Users via Coronavirus Phishing}}, date = {2020-03-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/}, language = {English}, urldate = {2020-03-22} } Netwalker Ransomware Infecting Users via Coronavirus Phishing
Mailto
2020-02-05Bleeping ComputerLawrence Abrams
@online{abrams:20200205:mailto:3027008, author = {Lawrence Abrams}, title = {{Mailto (NetWalker) Ransomware Targets Enterprise Networks}}, date = {2020-02-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/}, language = {English}, urldate = {2020-02-11} } Mailto (NetWalker) Ransomware Targets Enterprise Networks
Mailto
2019-09-05ID RansomwareAndrew Ivanov
@online{ivanov:20190905:netwalker:902cacb, author = {Andrew Ivanov}, title = {{Netwalker Ransomware}}, date = {2019-09-05}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/09/koko-ransomware.html}, language = {Russian}, urldate = {2020-03-22} } Netwalker Ransomware
Mailto
Yara Rules
[TLP:WHITE] win_mailto_auto (20230125 | Detects win.mailto.)
rule win_mailto_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.mailto."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b442424 89742414 897c241c 894c2430 89542424 89442428 83ed01 }
            // n = 7, score = 400
            //   8b442424             | mov                 eax, dword ptr [esp + 0x24]
            //   89742414             | mov                 dword ptr [esp + 0x14], esi
            //   897c241c             | mov                 dword ptr [esp + 0x1c], edi
            //   894c2430             | mov                 dword ptr [esp + 0x30], ecx
            //   89542424             | mov                 dword ptr [esp + 0x24], edx
            //   89442428             | mov                 dword ptr [esp + 0x28], eax
            //   83ed01               | sub                 ebp, 1

        $sequence_1 = { 8b4500 8d4c2424 51 6a00 55 c744243000000000 }
            // n = 6, score = 400
            //   8b4500               | mov                 eax, dword ptr [ebp]
            //   8d4c2424             | lea                 ecx, [esp + 0x24]
            //   51                   | push                ecx
            //   6a00                 | push                0
            //   55                   | push                ebp
            //   c744243000000000     | mov                 dword ptr [esp + 0x30], 0

        $sequence_2 = { 0f84bd000000 3c0d 0f84b5000000 3c2c 0f84ad000000 3c7b 0f840b020000 }
            // n = 7, score = 400
            //   0f84bd000000         | je                  0xc3
            //   3c0d                 | cmp                 al, 0xd
            //   0f84b5000000         | je                  0xbb
            //   3c2c                 | cmp                 al, 0x2c
            //   0f84ad000000         | je                  0xb3
            //   3c7b                 | cmp                 al, 0x7b
            //   0f840b020000         | je                  0x211

        $sequence_3 = { 56 894140 e8???????? 8b0d???????? 68e5baf47e 56 894144 }
            // n = 7, score = 400
            //   56                   | push                esi
            //   894140               | mov                 dword ptr [ecx + 0x40], eax
            //   e8????????           |                     
            //   8b0d????????         |                     
            //   68e5baf47e           | push                0x7ef4bae5
            //   56                   | push                esi
            //   894144               | mov                 dword ptr [ecx + 0x44], eax

        $sequence_4 = { e8???????? 8bf0 83c404 85f6 744a 8b442414 8906 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   83c404               | add                 esp, 4
            //   85f6                 | test                esi, esi
            //   744a                 | je                  0x4c
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   8906                 | mov                 dword ptr [esi], eax

        $sequence_5 = { 8b4610 8d7e14 8d048504000000 50 57 }
            // n = 5, score = 400
            //   8b4610               | mov                 eax, dword ptr [esi + 0x10]
            //   8d7e14               | lea                 edi, [esi + 0x14]
            //   8d048504000000       | lea                 eax, [eax*4 + 4]
            //   50                   | push                eax
            //   57                   | push                edi

        $sequence_6 = { 747d 55 8d3c73 57 e8???????? 83c404 }
            // n = 6, score = 400
            //   747d                 | je                  0x7f
            //   55                   | push                ebp
            //   8d3c73               | lea                 edi, [ebx + esi*2]
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_7 = { ffd0 85c0 740f 03fe c744241c01000000 83d300 eb07 }
            // n = 7, score = 400
            //   ffd0                 | call                eax
            //   85c0                 | test                eax, eax
            //   740f                 | je                  0x11
            //   03fe                 | add                 edi, esi
            //   c744241c01000000     | mov                 dword ptr [esp + 0x1c], 1
            //   83d300               | adc                 ebx, 0
            //   eb07                 | jmp                 9

        $sequence_8 = { ff742410 57 8b4008 6a08 56 ffd0 5f }
            // n = 7, score = 400
            //   ff742410             | push                dword ptr [esp + 0x10]
            //   57                   | push                edi
            //   8b4008               | mov                 eax, dword ptr [eax + 8]
            //   6a08                 | push                8
            //   56                   | push                esi
            //   ffd0                 | call                eax
            //   5f                   | pop                 edi

        $sequence_9 = { 83c408 85c0 750d 46 3b7704 72d0 5f }
            // n = 7, score = 400
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   750d                 | jne                 0xf
            //   46                   | inc                 esi
            //   3b7704               | cmp                 esi, dword ptr [edi + 4]
            //   72d0                 | jb                  0xffffffd2
            //   5f                   | pop                 edi

    condition:
        7 of them and filesize < 180224
}
[TLP:WHITE] win_mailto_w0   (20210224 | Detects the Netwalker ransomware)
rule win_mailto_w0 { 
    meta: 
        copyright = "(c) 2020 Crowdstrike Inc." 
        author = "Crowdstrike"
        description = "Detects the Netwalker ransomware" 
        reports = "CSIT-20081" 
        source = "https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf"
        version = "202004281747" 
        last_modified = "2020-04-28" 
        malware_family = "Netwalker" 
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto"
        malpedia_rule_date = "20210224"
        malpedia_hash = ""
        malpedia_version = "20210224"
        malpedia_sharing = "TLP:WHITE"
    strings: 
        $salsaconst = "expand 32-byte kexpand 16-byte k" 
        $ins_getapi = {55 8b ec a1 ?? ?? ?? ?? 5d c3} 
        $ins_crc32 = {25 20 83 b8 ed 33 d0} 
        $ins_push1137 = {68 39 05 00 00 68 69 7a 00 00} 
        $ins_rc4 = {8b 45 ( e? | f? ) 83 c0 01 33 d2 b9 00 01 00 00 f7 f1 89 55} 
        $in_c25519 = {6a 00 68 41 db 01 00} 
    condition: 
        3 of them
}
[TLP:WHITE] win_mailto_w1   (20210224 | Detects the Netwalker ransomware)
rule win_mailto_w1 { 
    meta: 
        copyright = "(c) 2020 Crowdstrike Inc." 
        author = "Crowdstrike"
        description = "Detects the Netwalker ransomware" 
        reports = "CSIT-20081" 
        source = "https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf"
        version = "202004281748" 
        last_modified = "2020-04-28" 
        malware_family = "Netwalker" 
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto"
        malpedia_rule_date = "20210224"
        malpedia_hash = ""
        malpedia_version = "20210224"
        malpedia_sharing = "TLP:WHITE"
    strings: 
        $ = "namesz" fullword 
        $ = "crmask" fullword 
        $ = "idsz" fullword 
        $ = "lend" fullword 
        $ = "lfile" fullword 
        $ = "mpk" fullword 
        $ = "namesz" fullword 
        $ = "pspath" fullword 
        $ = "rwsz" fullword 
        $ = "spsz" fullword 
        $ = "svcwait" fullword 
        $ = "unlocker" fullword 
        $ = "onion1" fullword 
    condition: 10 of them
}
Download all Yara Rules