Blog
Diriga Cybersecurity Ransomware Protection

Netwalker Ransomware Targeting Users via Coronavirus Phishing As if people didn’t have enough to think about in these difficult times, attackers are now threatening people with phishing emails from Coronavirus (COVID-19) that install the Netwalker Ransomware.

Sadly, we do not have an example of the actual phishing email that was being sent, MalwareHunterTeam was able to find an attachment used in a recent phishing campaign for Coronavirus that installs the Netwalker Ransomware.

Netwalker is a ransomware formerly known as Mailto that has recently become popular as it targets businesses and government agencies. Two commonly known Netwalker-related attacks are those on the Illinois Toll Party and the Champaign Urbana Public Health District (CHUPD).

The new Netwalker phishing campaign uses an attachment named “CORONAVIRUS COVID-19.vbs” which contains an embedded executable and obfuscated code to extract and launch it to the end users device.

VBS Attachment

VBS Attachment

When the script is executed, the executable will be saved to %Temp%\qeSw.exe and launched.

Netwalker Executable

Netwalker Executable

The ransomware would encrypt the files on the device once it was executed, and apply a random extension to encrypted files names.

When the encryption process is completed, victims of this ransomware will find a ransom note named [extension]-Readme.txt that contains instructions on how to access the ransomware’s Tor payment site to pay the ransom demand usually via bitcoins.

Netwalker Ransom Note

Sadly, there is no known vulnerability in the ransomware at this time which would enable victims to decrypt their files for free. Netwalker Ransomware Targeting Users via Coronavirus Phishing

Instead, victims will need to either restore from backup or recreate the missing files.

Coronavirus attacks are becoming more frequent!

Threat actors have recently begun using the epidemic as a motif for their phishing campaigns and malware, due to the ongoing Coronavirus pandemic.

We saw the TrickBot trojan using text from Coronavirus related news stories to make it less detectable, a ransomware called CoronaVirus, the data-stealing FormBook malware distributed by phishing campaigns, and even an email blackmail scheme threatening to infect your family with Coronavirus.

This has resulted in the US Cybersecurity and Infrastructure Security Agency (CISA) issuing alerts about the proliferation of Coronavirus-themed scams and the World Health Organization (WHO) issuing warnings about phishing scams that impersonate their organization.

When threat actors typically take advantage of anxiety and fear-spreading subjects, everyone must be more vigilant than ever against suspicious emails and promotion of programs from unknown sources.

Please look at our Security Awareness Training and Ransomware Protection Services to see how we can help your business become more secure!