Fileless Ransomware: Powershell Netwalker



Netwalker: The fileless ransomware can encrypt your data without any exe file or trace, just a string of characters as a powershell command. https://www.acronis.com/en-us/products/true-image/?utm_source=thepcsecuritychannel&utm_medium=social&utm_campaign=fy22-q2-thepcsecuritychannel-yt-acpho (Get Acronis with exclusive 30% sponsor discount)

Buy the best antivirus: https://thepcsecuritychannel.com/best-antivirus
Join the discussion on Discord: http://discord.tpsc.tech/
Get your business endpoints tested by us: http://tpsc.tech/
Contact us for business: https://thepcsecuritychannel.com/contact

source

This Post Has 39 Comments

  1. Frank Strea

    What about scripts such as python .py can i scan it ?

  2. Trend Micro started to screw up my Windows File Explorer and Boxcryptor over the past 12 months and so I’ve uninstalled it and am now using Windows Defender. I’m not happy about that, but at least it gives me back a usable PC that I only just 2 years ago.

  3. Jedi Buddhist

    We tried supporting you with TPSC22. Unfortunately it does not work.

    Thank you for all your hard work and time. Your info is priceless.

  4. Kevin Rodrigues

    U got a CVE? Has this been patched? All the sources I find is from 2020.

  5. Ronny Vertesh

    Hey dude, can you make a video on Mac security, and Mac malware?

  6. Ranvir Singh

    Good to see ransomware authors making their code tiny and efficient. Now only if Windows devs can follow suit

  7. Rodrigo M.

    I think in Malwarebytes you could configure script blocking?… I remember Leo tried it in the Malwarebytes video, I'm not sure if that can help in this type of ransomware

  8. ratgreen

    If like to see how you protect against this. Group policy to block powershell enough?

  9. Wilfredo Torres

    Hi Leo, this type of attack of the fireless malware attack I've seen a file just seem to drop in on the computer without me activating anything and I'm wondering how is this possible and besides the antivirus protection what other types of protection can we take into account? Is sandboxie effective with type of attack?

  10. _

    Fileless ransomware. Now that's something that would never happen on GNU/Linux 😆

  11. Daniel

    Windows defender thing that does not allow modifications of files works against this?

  12. Many antivirus products will probably detect this powershell expressions which will call malicious behaviours, but to be more protected, i would advise comodo free firewall HIPS protection to be used with existing antivirus product in our pcs. Even if antivirus product fails to detect this malicious powershell code, comodo free firewall HIPS protection would warn you about ".ps1" file execution and if a user is cautious enough and if user has basic knowledge about pcs, he/she would deny that action and would be protected from this attack. Layers of protection is always better than having only one protection software installed in our pcs, in my opinion..

  13. TSUJACK

    Could you make a video on how to disable powershell scripts safely for the standard user , Admin, and Super Admin please?

  14. Taps Taporco

    Can it be used as a dead man switch to protect your own files?

  15. Danny Dandarama

    My PC was infected by ransomware that generates .mkp files … fortunately my data is OK because i had a backup and changed the infected hard drive with an SSD… I still have all the encrypted files on the old hard drive hoping that there is a decryptor tool for the mkp ransomware … has anyone any knowledge of such tool?

  16. Sammie J Shaw

    I'm as about computer literate as a floppy disk but I like watching your channel to what crazy stuff hacker's come up with nowadays.

  17. What I want to know is if it is encrypted how does the OS execute it? Base64 is a hash not an encryption so it can be reversed and analyzed. I do also wonder why it doesn't get stopped by the execution policy of the OS? By default script execution is disabled in powershell so only typed commands work. I know you can get around it by using the rubber ducky USB but that is unlikely a method that is often used.

  18. Pineapple road

    I just realised that i may have a (mostly) ransomware proof network storage drive
    If i delete or overwrite a file on it, the file is not deleted, but moved to a recycle bin (and access to the recycle bin can be easily restricted)

  19. Mar Celo

    I don't understant one thing: if the command is encrypted how Windows decryptfy the command on-the-fly, without the user telling the system beforehand that the command needs to be decryptified to run properly? I mean, it is like if a had a picture encrypted by Veracrypt and after double clicking it Windows gets aware the file is encrypted, figures out which keys were used during the encryption, selects the correct keys and makes the conversion back to the original file, WITHOUT any input from the user… How is that possible???

    Example: i have encrypted files that require password + other files to reverse the encryption. How Windows would guess my password and the files needed if I don't provide such info to the system?

  20. S_T

    I'm sorry, but why do you say that the string is encrypted? It's a Base64 encoded string, but it's not encrypted. You can just use any Base64 decoder to actually read its contents, meaning that you can absolutely read the ransomware's source code.

  21. 8080

    FYI: fileless virus resides in memory like RAM.

  22. Swift

    Could you make a video about UEFI malware, how UEFI gets infected and how to defend against it?

  23. m.nageh

    1. javascript code ? 🤣🤨 not true

    2. A Macro ? You realize that Microsoft disabled it by def for this exact reason a while ago ? no ?

    this isn't what fileless is about bro

  24. Cougar Town

    Heapspray attacks and DLL injection, JavaScript malware that injects PowerShell code tend to be the more widespread methods of malware these days, and usually spreads through various forms of instant messaging like Discord, Skype, and so on. I would recommend AV vendors to update their protection algorithms towards these attack vectors, so that users can be more safe from bad actors such as cyber criminals accessing their data on their systems and potentionally stealing alot of sensitive information that could mean login credentials for websites, bank information, other important information that the criminals can use against the victim and blackmailing or holding them at ransom essentially.

    It is important to know that the security solutions out there right now are not working as they should and we need a proper update to security as anti-virus software has been useless for the past decade, they only protect against a minority of viruses and threats whilst the majority of threats get through the AV protection, even disabling the AV protection within seconds and then further infecting the system with ease..

    Why are the AV companies slacking? this is personal data being stolen, we need to have more security for users that pay for AV solutions to protect their data, but all we get is this waste of cash for a "protection" that does not even protect the users, I am very disappointed in the fact that the AV vendors do not even respond or seem interested in talking about it, even though it is a major concern that needs to be discussed everyday a real threat emerges. I wish we could have a proper AV solution in the future that solves all these problems but I do not think there is a single AV solution out there that can fully protect against all these threats and the AV companies just sell a lot of bullshit to the customers, that is the unfortunate realities we have to face everyday when a hacker hacks into the system and stealing our precious data… so why is it like this? I for sure want answers to this, but yeah, not much is gonna change I assume.

    Ah well, I hope for a better future tomorrow. But the future looks more than dire at the moment.

  25. Austin Beck

    On a different note that outro background is sick, where can i get it

  26. Zk Motivation

    I just want to let anyone who’s reading this, and going through a tough time know that it’s going to be okay. You’ll get through it! ✨

  27. Andy Spark

    Alright, this is actually scary. Because of this my browser java is off by default for years.
    Questions
    Pages like Wiki have many links. Are they get checkt? Is there a filter installed before someone saves the editing?

  28. kim-hendrik merk

    How is this malware distributed?
    How can you avoid even downloading it?

  29. Axq

    Could you create a video of malware that can escape VM's and how to configure your VM's to protect yourself against these kind of attacks?

  30. John Doe

    This is not file-less. If its a powershell script that's a file. If its a browser js, it is still a file your browser downloaded. If it is an office macro it is still a file.
    File-less means either (or both) remote code execution and persistence on the network without files. The latter is only extremely advanced APT…

    I could accept browser js as file-less as it is code execution and sandbox escape without explicit interaction from the user, even though the files are written to cache if anything, but a powershell script not. The files are there, embedded as base64.

Leave a Reply