Netwalker – Fileless Ransomware
Netwalker is a well known ransomware that affects a victim’s computer and data in a myriad of ways. It encrypts and renames file using six characters as extensions; it drops ransom notes at various folders in the system and opens one after it has encrypted the data and documents of its victims; it terminates processes and services related to backup software and data related applications in an attempt to maintain persistence and in an effort to prevent the victim from restoring from backups. What separates this version of Netwalker from its predecessors is that this version is ‘fileless,’ meaning that the malware is not compiled but rather written in PowerShell and executed directly in memory and without storing the actual ransomware binary into the disk.
The specific tool being leveraged in this type of attack is known as ‘reflective dynamic-link library injection.’ This technique allows the injection of a DLL from memory rather than the disk, and as a result, this is stealthier than regular DLL injection because not only does it not need the actual DLL file on disk, it also does not need any Windows loader for it to be injected. This eliminates the need for registering the DLL as a loaded module of a process and allowing evasion from DLL load monitoring tools.
The script itself hides under multiple layers of encryption, obfuscations, and encoding techniques, which act as multiple layers of stealth for the ransomware.
For a more detailed examination and analysis of this fileless variant of Netwalker, please reference the attached PDF ‘Netwalker – Fileless Ransomware’ at the end of this post.
The first step in any successful malware/ransomware attack is infecting the target system or network with the initial malware. The largest protection against these kinds of attacks is to simply not download, execute, or follow links from unfamiliar sources, whether these be through email, social media, or message boards.
A few extra steps that a user or network administrator should take in order to protect against this variant of Netwalker as well as any future fileless malware attacks are:
- Secure PowerShell use by taking advantage of its logging capability to monitor suspicious behavior
- Use PowerShell commands such as ‘ConstrainedLanguageMode’ to secure systems from malicious code
- Configure system components and disable unused and outdated ones to block possible entry points
- Establish and maintain a working data-backup policy to combat ransomware attacks in general
- Establish and maintain a robust employee training policy regarding download, executing, and following unknown links and files
Sources: