NetWalker ransomware: Over $ 25 Million in Gang Profits Since March

NetWalker ransomware operators are estimated to have earned more than $ 25 million in ransom payments paid to their victims since March, the security company said. McAfee. Although there are no clear statistics, $ 25 million in profits bring NetWalker to the top of the most successful ransomware gangs known today, including other well-known ransomware such as Ryuk, Dharma and REvil (Sodinokibi).

McAfee, which recently published a report on NetWalker's operations, was able to track payments made by a victim to known addresses Bitcoin related to ransomware gang. However, security investigators believe the gang could have done even more than the illegal ones businesses her.

NetWalker, as a ransomware strain, first appeared in August 2019. In its original version, ransomware appeared under the name Mailto, but was renamed NetWalker in late 2019. ransomware works as RaaS closed access, a ransomware-as-a-service portal. Other hacker gangs register and go through a check-in process, which gives them access to an online portal where they can create custom versions of ransomware. The distribution is left to these second-rate gangs, known as affiliates, and each group develops it as it sees fit. Through this scrutiny process, NetWalker has recently started selecting partners who specialize more in targeted attacks against networks of high-value entities and profiles, rather than those that specialize in mass distribution methods such as exploitation kits or spam e-mail. This is because targeting larger companies with expensive businesses allows the gang to demand more ransom as larger companies lose more profits when they are not operating, compared to smaller companies.

In particular, the creator of NetWalker seems to favor partners who are able to intervene through network attacks - in RDP servers, networking tools, VPN servers, firewalls, etc. It is worth noting that the creator of NetWalker, named Bugatti, was only interested in hiring Russian-speaking customers.

According to McAfee researchers, NetWalker has carried out attacks using farms on Oracle WebLogic and Apache Tomcat servers, invading networks via weak RDP endpoints credentials Or with spear-phishing in major companies. However, according to an FBI alert released last week, Netwalker operators have also incorporated Pulse Secure VPN servers (CVE-201911510) and web applications using the Telerik UI component (CVE-2019-18935) for to differentiate the "weapons" of their attacks.

U.S. companies and government agencies have been warned to update their systems as NetWalker gang activity has increased, affecting even some government networks. So far, NetWalker ransomware's highest profile victim is Michigan State University, which was breached at the end of May, as part of several raids on several USA. However, McAfee pointed out that NetWalker also poses a risk to companies around the world, and not just to the US or Western Europe, which has also been a target for NetWalker many times over.

With more than $ 25 million in ransom payments received in recent months, NetWalker's popularity is expected to grow even more. And one of the reasons why the NetWalker ransomware gang is so popular and has made over $ 25 million since March is because of its "leak portal", a site where the gang publishes names and data from victims who refuse to pay a ransom.

A site operates on simple principles and is one of the many ransomware leak sites. Once a NetWalker ransomware partner breaks into a network, it first steals the sensitive data a company and then encrypts files. If the victim refuses to pay for the decryption of files during the initial negotiations, the ransomware gang creates an entry on its leak site. The entry has a timer and if the victim still refuses to pay, the gang leaks the files he stole from the victim's network.

The site has helped NetWalker ransomware put extra pressure on victims, leading many to fear that their intellectual property or sensitive data may be leaked to the Internet, while others fear that their name will be tarnished in the press as the site and most Its recent victims are often cited in news articles, and many companies will pay simply so that their name is not the first negative news in the newspapers.