NetWalker Ransomware Earns $25 Million in Just 5 Months

In the last 5 months, when most people were sheltering in place and working from home due to COVID-19 restrictions, the group behind the ransomware called “NetWalker” earned US $25 million by extorting organizations for large amounts of money.

In the blog post “Take a ‘NetWalk’ on the Wild Side” published on August 3, 2020, researchers at McAfee reported that between March 1, 2020 and July 27, 2020, victims of NetWalker ransomware paid to the group behind the ransomware 2,795 bitcoin, valued at US $25 million.

“Even though we do not have complete visibility into the BTC flow before NetWalker started ramping up, one thing is certain, this quarter alone it has been highly successful at extorting organisations for large amounts of money,” researchers at McAfee said. “All this at a time when many sectors are struggling because people are sheltering in place and governments are trying to keep businesses from going bankrupt. NetWalker is making millions off the backs of legitimate companies.”

The researchers at McAfee said they followed the money, that is, learned about the earnings of the group behind the NetWalker ransomware via the moniker Bugatti who revealed the two bitcoin addresses controlled by the group on the unground forum. The revelation of the two bitcoin addresses controlled by the group behind the NetWalker ransomware came about as it was part of the recruitment process of the group in recruiting affiliates to highlight the group’s earnings.

Ransomware-As-A-Service (RaaS)

Many of today’s ransomware groups operate through the model called “ransomware-as-a-service (RaaS)” – a cybercrime economic model that allows creators of malicious software (malware) to earn money out of their creations without the need of conducting the actual cyberattack.

In the RaaS model, the affiliates do the actual cyberattack, that is, from the initial compromise of the victims’ networks to the dropping of the malware, in this case, the NetWalker ransomware. In the event that the ransomware victim pays ransom, the ransomware creator splits the money with the affiliates.

The NetWalker ransomware operators were particularly looking for technically advanced and those with experience with large networks. In March of this year, Bugatti, the recruiter of NetWalker RaaS affiliates on the underground fora, posted that the group’s preferred affiliate is one “who can work with large networks and have their own material”.

Ransomware Evolution

NetWalker, initially known as Mailto, was first detected in the wild in August 2019. Since then, various variants have been discovered.

Typical to a ransomware, NetWalker encrypts victims’ networks, computers and files. In exchange for the decryption keys that could unlock the encrypted files, victims are asked to pay ransom. Like many of today’s ransomware, NetWalker threatens non-paying victims that their data stolen prior to encryption will be leaked online – an open admission that the group behind this ransomware steals data prior to encryption.

The group behind this ransomware also changed the line communication with victims. The original communication line via emails was replaced with web interface via Tor wherein victims submit their user key and they’ll then be redirected to a chat with NetWalker technical support.

Initial Access

The group behind NetWalker ransomware is known to gain initial access to victims’ networks by exploiting public-facing applications, which refer to applications with internet accessible open sockets. An example of a public-facing application is Oracle WebLogic Server – a popular application server used in building and deploying enterprise Java EE applications. 

According to researchers at McAfee and Sophos, the group behind NetWalker gained an initial foothold into the networks they target by taking advantage of outdated server software such as Oracle WebLogic Server. 

“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches,” Oracle said in its “Critical Patch Update Advisory – April 2020”. “In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.”

In its advisory, however, Oracle didn’t specify the threat actors that exploited Oracle WebLogic Server.

In addition to exploiting outdated public-facing applications such as Oracle WebLogic Server, researchers at McAfee and Sophos reported that the group behind NetWalker gained an initial foothold into the networks they target by exploiting valid accounts, specifically weak remote desktop protocol (RDP) passwords. RDP is a proprietary protocol developed by Microsoft which allows a user to connect to another computer over a network connection.

“Attackers target RDP servers that use weak passwords and are without multi-factor authentication, virtual private networks (VPNs), and other security protections,” Microsoft Defender ATP Research Team said in the blog post “Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks“. “Through RDP brute force, threat actor groups can gain access to target machines and conduct many follow-on activities like ransomware and coin mining operations.”

The Federal Bureau of Investigation (FBI) recently issued an alert warning U.S. and foreign organizations that threat actors using NetWalker have since taken advantage of the COVID-19 pandemic to compromise an increasing number of unsuspecting victims. In April 2020, the FBI said that threat actors using NetWalker began gaining access to victim networks by exploiting unpatched VPN appliances.

Preventive and Mitigating Measures Against Ransomware Attacks

In order to prevent or mitigate the effects of ransomware attacks, such as attacks from threat actors using NetWalker ransomware, it’s important to keep all your organization’s software up to date, especially Oracle WebLogic Server and VPN.

It’s also important to protect valid accounts such as RDP account with strong passwords, multi-factor authentication, virtual private networks (VPNs), and other security protections.

Ransomware is a serious, profitable business for cybercriminals. Our experts at GenX Solutions have the necessary training and knowledge to stop cybercriminals before they succeed at attacking your business.

Call now (416) 920-3000 to schedule a consultation or email us at, and we will show you how to safeguard your valuable data fast and on budget.

Leave a Reply

Your email address will not be published. Required fields are marked *