Netwalker Ransomware Targeting Users via Coronavirus Phishing As if people didn’t have enough to think about in these difficult times, attackers are now threatening people with phishing emails from Coronavirus (COVID-19) that install the Netwalker Ransomware.
Sadly, we do not have an example of the actual phishing email that was being sent, MalwareHunterTeam was able to find an attachment used in a recent phishing campaign for Coronavirus that installs the Netwalker Ransomware.
Netwalker is a ransomware formerly known as Mailto that has recently become popular as it targets businesses and government agencies. Two commonly known Netwalker-related attacks are those on the Illinois Toll Party and the Champaign Urbana Public Health District (CHUPD).
The new Netwalker phishing campaign uses an attachment named “CORONAVIRUS COVID-19.vbs” which contains an embedded executable and obfuscated code to extract and launch it to the end users device.
When the script is executed, the executable will be saved to %Temp%\qeSw.exe and launched.
The ransomware would encrypt the files on the device once it was executed, and apply a random extension to encrypted files names.
When the encryption process is completed, victims of this ransomware will find a ransom note named [extension]-Readme.txt that contains instructions on how to access the ransomware’s Tor payment site to pay the ransom demand usually via bitcoins.
Sadly, there is no known vulnerability in the ransomware at this time which would enable victims to decrypt their files for free. Netwalker Ransomware Targeting Users via Coronavirus Phishing
Instead, victims will need to either restore from backup or recreate the missing files.
Coronavirus attacks are becoming more frequent!
Threat actors have recently begun using the epidemic as a motif for their phishing campaigns and malware, due to the ongoing Coronavirus pandemic.
We saw the TrickBot trojan using text from Coronavirus related news stories to make it less detectable, a ransomware called CoronaVirus, the data-stealing FormBook malware distributed by phishing campaigns, and even an email blackmail scheme threatening to infect your family with Coronavirus.
This has resulted in the US Cybersecurity and Infrastructure Security Agency (CISA) issuing alerts about the proliferation of Coronavirus-themed scams and the World Health Organization (WHO) issuing warnings about phishing scams that impersonate their organization.
When threat actors typically take advantage of anxiety and fear-spreading subjects, everyone must be more vigilant than ever against suspicious emails and promotion of programs from unknown sources.