Stealthy 'Netwalker' Ransomware Using Windows Explorer And 'Art of Deception' To Infect Enterprise Networks

ransomware_300x300-2Researchers at Quick Heal Security Labs have discovered a new strain of the “Mailto” ransomware nicknamed “Netwalker" that uses the art of deception to evade detection.  The new strain targets Enterprises users and Windows devices using Explorer.exe  (not Internet Explorer) to do its evasive action act through a form of “process injection.” This is a slight deviation from methods commonly used by most ransomware relying on process hollowing by hiding in the computers suspended “processes.” 

The new  ransomware strain of “mailto” uses the debug API and gets Explorer.exe to start its execution, and then proceeds to eliminate all of its traces when completed. All configuration and instructions are stored in a base 64 encrypted ransom note.

The Process of Deceptive Processes Described by Quick Heal

According to Quick Heal Security Labs “the Mailto or Netwalker performs process hollowing in explorer.exe. This helps in evading the Anti-Virus software (AVs) to  easily perform the encryption.

In process hollowing, usually, the target process is created in suspended mode, and the injection is carried out. But here the process is not created in suspended mode— rather, it uses the ‘Debug’ mode.”

To perform further injection activity, it gets the process and thread details using debug APIs like WaitForDebugEvent.”

“One should take care and should not completely trust those processes that appear to be legitimate [and] that ultimately might help malware to bypass security products. Here, the injection through process hollowing is done in explorer.exe , which itself makes it very difficult to make its presence perceptible. Moreover, while creating the process for injection, instead of using a suspended mode, it is using the not so commonly used ‘Debug’ mode. This makes AV prevention techniques [prone] to fail.”

Quick Heal reminds us that ransomware authors also employ “social engineering” deception tradecraft when engineering the architecture of their ransomware to fool AV and security products with an old technique known as the art of deception. Knowbe4's Chief Hacking Officer, and famous security researcher Kevin Mitnick has a best selling book by that name.  

Get the full story at:

Bleeping Computer and Quick Heal

Get Your Ransomware Hostage Rescue Manual

Ransomware Hostage Rescue Manual Cover 2022This 26-page manual is packed with actionable info that you need to prevent infections, and what to do when you are hit with ransomware. You also get a Ransomware Attack Response Checklist and Prevention Checklist. You will learn more about:

  1. What is Ransomware?
  2. Am I Infected?
  3. I’m Infected, Now What?
  4. Protecting Yourself in the Future
  5. Resources

Don’t be taken hostage by ransomware. Download your rescue manual now! 

Get Your Manual

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews