Your browser is obsolete!

The page may not load correctly.

Encrypt everything

Закодировать всё

Other issues in this category (24)
  • add to favourites
    Add to Bookmarks

When someone else's mistake may become yours

Read: 27498 Comments: 8 Rating: 10

Thursday, November 26, 2020

We'd love to say that the cautionary tale we are now going to tell you will have an impact, but alas it won't. While we will go ahead and tell you the tale, those who haven't been affected by the incident we describe are unlikely to learn anything from it. However, it’s still worth a try!

The multinational energy company Enel Group suffered a second ransomware attack this year. This time Netwalker ransomware operators are demanding a $14 million ransom for a decryption key. Complying with their demand will ostensibly also prevent them from leaking several terabytes of stolen data.

In June, the company's infrastructure was attacked by the Snake ransomware (also known as EKANS), but this security breach was discovered before the malware could spread across the network.

On October 19, Netwalker published their ransom demand.

The attackers claimed that they had stolen around 5 terabytes of data from Enel and were ready to leak a portion of it within one week. The criminals also announced that they would “analyse every file for interesting things” and share their discoveries on their leak site.

Obviously, the attackers put their victim under considerable pressure to make the company pay the ransom.


Enel is one of the largest energy companies in Europe. It has 61 million customers in 40 countries. As of August 10, the company ranked 87th in the Fortune Global 500 with $90 billion in revenue in 2019.

NetWalker, as a ransomware strain, first appeared in August 2019. In its initial version, the ransomware went by the name of Mailto but was rebranded to NetWalker towards the end of 2019.

The ransomware operates as a closed-access RaaS — a ransomware-as-a-service portal. Other hacker gangs sign up and go through a vetting process, after which they are granted access to a web portal where they can build custom versions of the ransomware.

The distribution is left to these second-tier gangs, known as affiliates, and each group deploys it as they see fit.


Little is yet known about the attack, but hacker rings usually employ the typical intrusion techniques.

The threat actor logged in through RDP, attempted to run a Cobalt Strike Beacon, and then dumped memory using ProcDump and Mimikatz. Next, they RDPed into a Domain Controller minutes before using PsExec to run the NetWalker ransomware payload on all Domain-joined systems.

First, the intruder ran the c37.ps1 script. Minutes later they ran c37.exe, which copies itself to a temp directory and then stops.

This binary includes Neshta as well as poison, BazarBackdoor, XMRig and most CobaltStrike modules.

We attempted to run c37.ps1 and c37.exe in a few sandboxes and none of them captured the network traffic, which tells us that these Beacons include sandbox-evasion techniques.

A few minutes after AdFind was run, a command prompt was opened and the following commands were either copied and pasted slowly or manually typed.

Shortly after that, a script named pcr.bat was dropped and executed.

It took the threat actor just 1 hour and 5 minutes to carry out the attack. The initial intrusion was conducted over RDP using a compromised administrator account.


Here we quoted only part of the incident review. You can access the entire report using the link above. The pieces we provide here merely highlight the main security flaws.

  • Weak administrator passwords enabled the attackers to gain access to the infrastructure.
  • Remote access was available from any address—i.e., no specific addresses from which a certain computer could be accessed were listed.
  • The ability to run any software on a computer.
  • Inbound files didn't undergo a preliminary examination in a reliable sandbox environment, such as Dr.Web vxCube. Attackers employ techniques that enable malware to evade most popular sandboxes.

And as we can clearly see, despite the enormous revenues that the affected companies earn and the huge amounts that they obviously spend on security, hackers don't need to adopt sophisticated intrusion techniques or bribe or blackmail their way into corporate infrastructures.

#hacking #ransom #extortion #data_loss_prevention #history #damage

The Anti-virus Times recommends

The trojan penetrated the local network and infected all the hosts as well as the NAS server containing our backups.

A request submitted to Doctor Web's Technical Support Service

It is said that smart people learn from others’ mistakes. But by all appearances, nothing is going to change until every last one of them winds up with infected computers; weak passwords will persist, local networks won't be divided into subnets, and computers storing backups will remain accessible via the network.

And our recommendation is pretty obvious: Learn from other people’s mistakes


Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.