Security company McAfee said today that operators of NetWalker ransomware are believed to have earned more than $25 million in ransom payments since March this year. Although there are no accurate and up-to-date statistics, the $25 million figure put NetWalker at the top of the most successful ransomware gangs currently known. Other known names include Ryuk, Dharma, and REvil (Sodinokibi).
McAfee recently released a comprehensive report on NetWalker’s operations, which can track payments made by victims to the Bitcoin address of the ransomware group. However, security experts believe that because their views are incomplete, the gang may gain more benefits from their illegal actions. As a ransomware, NetWalker first appeared in August 2019. In the original version, the name of the ransomware was Mailto, but it was renamed NetWalker at the end of 2019.
The ransomware runs in the form of a closed-access RaaS-ransomware-as-a-service portal. Other hacker groups registered and passed the review, after which they were granted access to a portal site where they could build customized versions of ransomware. These second-tier gangs (the so-called affiliates) are responsible for the distribution work, and each gang will deploy according to its own situation. Through this review process, NetWalker has recently begun to select affiliates that specialize in targeted attacks on high-value entity networks, rather than those that specialize in large-scale propagation methods, such as using toolkits or e-mail spam. The reason is that a precise and surgical invasion of a large company can allow the group to demand a larger ransom, because large companies lose more profits when they fail compared to small companies.
The author of NetWalker seems to prefer affiliated companies that can attack RDP servers, network devices, VPN servers, firewalls, etc. through network attacks. It is worth noting that the author of NetWalker is aliased Bugatti and is only interested in hiring Russian-speaking secondary gangs. McAfee experts said that historically, NetWalker used vulnerabilities in Oracle WebLogic and Apache Tomcat servers to enter the network through RDP endpoints with weak credentials, or through spear phishing on the staff of important companies.
However, according to an alert issued by the FBI last week, the group recently added a vulnerability (CVE-201911510) against the Pulse Secure VPN server and a vulnerability (CVE-2019–18935) against the use of Telerik UI components to make their weapons Diversified libraries. The same alert also warned US companies and government organizations to update their systems, because the bureau saw an increase in the activities of the NetWalker gang and even impacted some government networks.
One of the reasons the gang is so popular is also because of its “leak portal.” The gang publishes on the website the names of victims who refuse to pay their ransom demands and releases data. Once the NetWalker alliance invades the network, they will first steal the company’s sensitive data and then encrypt the files. If the victim refuses to pay to decrypt the file during the initial negotiation, the ransomware group will create an entry on their leaked website. This entry has a timer, and if the victim still refuses to pay, the gang will leak the files they have stolen from the victim’s network.