NetWalker: Ransomware gang has raised around $ 25 million since March

McAfee tracks the activity of Bitcoin addresses belonging to NetWalker. The ransomware has only been active for around a year. The backers offer them as malware-as-a-service, including a portal for the publication of stolen data.

Ransomware continues to be a very lucrative business model for cybercriminals. According to a McAfee investigation, the backers of the NetWalker ransomware have been ransoming more than $ 25 million since March alone.

Ransomware (Image: Shutterstock)As part of an investigation into NetWalker, the security provider has succeeded in tracking victims’ payments to known bitcoin addresses of cyber extortionists. However, it cannot be ruled out that not all payments have been recorded. Security experts assume that the backers have captured an even larger sum.

NetWalker first appeared in August 2019, at that time under the name Mailto, which was then changed to NetWalker in late 2019. Malware is operated as ransomware-as-a-service (RaaS). After registering for access, hackers can offer a portal to develop their own versions of the NetWalker ransomware. However, the bidders are then responsible for their own dissemination.

According to the study, hackers were recently selected with the bidding process who specialize in targeted attacks on particularly solvent companies – instead of distributing the ransomware in large numbers. The new tactic makes it possible to make significantly higher ransom demands, because large companies generally also suffer significantly higher damage from ransomware attacks.

According to a recent FBI warning, NetWalker is currently serving as a gateway for the targeted attacks, exploits for Pulse Secure VPNServers and web applications that use the Telerik UI component. Accordingly, not only companies are currently affected, but also authorities.

McAfee points out that NetWalker is active not only in the United States, but also in Europe and other parts of the world. The ID ransomware service is also showing an increasing spread of malware.

In addition to the RaaS portal for NetWalker, the cybercriminals also operate a portal on which users of the ransomware can publish stolen data as an additional means of pressure. The portal makes it possible to announce the publication of data first and to automatically release the stolen data at a later point in time.


Leave a Reply

Your email address will not be published. Required fields are marked *