NetWalker ransomware gang has made $25 million since March 2020

The NetWalker gang has established itself as one of the most dangerous ransomware groups out there.
Written by Catalin Cimpanu, Contributor
Image: McAfee, ZDNet

The operators of the NetWalker ransomware are believed to have earned more than $25 million from ransom payments since March this year, security firm McAfee said today.

Although precise and up-to-date statistics are not available, the $25 million figure puts NetWalker close to the top of the most successful ransomware gangs known today, with other known names such as Ryuk, Dharma, and REvil (Sodinokibi).

McAfee, who recently published a comprehensive report about NetWalker's operations, was able to track payments that victim made to known Bitcoin addresses associated with the ransomware gang.

However, security experts believe the gang could have made even more from their illicit operations, as their view wasn't complete.

A short intro and history to NetWalker

NetWalker, as a ransomware strain, first appeared in August 2019. In its initial version, the ransomware went by the name of Mailto but rebranded to NetWalker towards the end of 2019.

The ransomware operates as a closed-access RaaS -- a ransomware-as-a-service portal. Other hacker gangs sign up and go through a vetting process, after which they are granted access to a web portal where they can build custom versions of the ransomware.

The distribution is left to these second-tier gangs, known as affiliates, and each group deploys it as they see fit.

Through this vetting process, NetWalker has recently begun selecting affiliates specialized in targeted attacks against the networks of high-value entities, rather than those specialized in mass-distribution methods such as exploit kits or email spam.

The reason is that targeting larger companies in precise and surgical intrusions allows the gang to request bigger ransom demands as larger companies lose more profits while they're down, compared to smaller firms.

In particular, the NetWalker author appears to favor affiliates capable of executing intrusions via network attacks -- on RDP servers, networking gear, VPN servers, firewalls, etc. -- according to an ad on a hacking forum found by this reporter earlier this year. Of note, the NetWalker author, going by the name of Bugatti, was only interested in hiring Russian-speaking clients only.

Historically, McAfee experts say NetWalker has carried out intrusion by using exploits in Oracle WebLogic and Apache Tomcat servers, by entering into networks via RDP endpoints with weak credentials, or by spear-phishing staff at important companies.

Image: McAfee

But according to an FBI alert published last week, more recently, the group has also incorporated exploits for Pulse Secure VPN servers (CVE-201911510) and exploits for web apps that use the Telerik UI component (CVE-2019-18935) to diversify their arsenal.

The same alert also warned US companies and government organizations to make sure to update their systems, as the bureau saw an uptick in activity from the NetWalker gang, which even hit some government networks.

NetWalker activity has ramped up in recent months

Currently, NetWalker's most high-profile victim is Michigan State University, which the group infected in late May, as part of several intrusions at several US universities.

However, McAfee says that NetWalker also poses a risk for companies all over the globe, and not just the US -- or Western Europe, another regular NetWalker hunting ground.

Per statistics supplied to ZDNet by ransomware identification service ID-Ransomware, NetWalker activity has been picking up in recent months, a sign that its RaaS portal is a hit among the cyber-criminal underground.

Image: MalwareHunterTeam

With more than $25 million obtained form ransom payments, NetWalker's popularity is bound to grow even larger.

And one of the reasons why the gang has been so popular is also because of its "leak portal," a website where the gang publishes the names and releases data from victims who refuse to pay its ransom demand.

The site operates based on simple principles and is one of the many similar such ransomware leak sites.

  • Once a NetWalker affiliate breaches a network, they first steal a company's sensitive data, then encrypt files.
  • If the victim refuses to pay to decrypt files during initial negotiations, the ransomware gang creates an entry on their leak site.
  • The entry has a timer, and if the victim still refuses to pay, the gang leaks the files they stole from the victim's network.
Netwalker ransomware leak site
Image: ZDNet

The site has helped NetWalker put additional pressure on victims, many who fear having intellectual property or sensitive user data leaked online, while others who fear having their name tarnished in the press, as the site and its most recent victims are often cited in news articles, and many companies will pay just not to have their name listed on it in the first place.

The FBI's most wanted cybercriminals

Editorial standards