Netwalker is a strain of ransomware discovered in September 2019, but its timestamp dates it back to late August. Initially believed to be a threat of the Mailto persuasion, it has since been established that it is an updated version of it. Mailto was discovered by independent cybersecurity researcher and Twitter user GrujaRS.
Data gathered so far indicates that Netwalker ransomware was created by a Russian-speaking group of hackers. This particular faction operates under the Circus Spider moniker.
The concept behind Netwalker is that of Ransomware-as-a-Service (RaaS), which means that Circus Spider provides others with the tools and infrastructure to hold files hostage in return for an affiliate payment. The group posted on dark web Russian forums inviting interested cybercriminals to become associates and spread the malware.
This malicious business model is nothing unheard of, being employed most notably by actors behind the GandCrab ransomware and its updated version Sodinokibi. Affiliates are offered a cut of up to 84% of the payout if the previous week’s earnings exceed $300,000. If the earnings are below this sum, they can still easily gain around 80% of the total value. The remainder of 16-20% goes to the group behind Netwalker. Through this method, those involved earned 25 million dollars in just five months starting with March 1st.
However, joining in comes with its own set of rules. Affiliates are prohibited from going against organizations located in the region of Russia and the Commonwealth of Independent States. What is more, it is stipulated that collaborators must always return the files of the victims who paid the ransom. Nonetheless, this is never a guarantee when it comes to ransomware hackers.
How Does Netwalker Ransomware Operate?
When Netwalker first started gaining traction among affiliates around March 2020, its operating mode was standard enough. Associates distributed the malware through spam emails that lured victims into clicking on phishing links and infecting the computers in their network. Their focus on mass volume meant that anyone was at a risk to become a target.
This type of ransomware attack is categorized as belonging to a newer class of malware, namely that which spreads through VBScripts. What is nefarious about this technique is that, if successful, it reaches all the machines connected to the same Windows network as the original infection point.
However, as of April 2020, Netwalker ransomware switched its approach up and requested that affiliates do the same. Circus Spider started recruiting experienced network intruders to single out big targets such as private businesses, hospitals, or governmental agencies, rather than individual home users. Attackers gained unauthorized access to the networks of larger organizations by manipulating unpatched VPN appliances, weak Remote Desktop Protocol passwords, or exposed spots in web applications.
After acquiring unlawful entry, Netwalker ransomware then terminates all processes and services running with Windows, encrypts the files on the disk, and deletes backups that are stored in the same network. As a consequence, everything stored on the devices in the victim network is rendered inaccessible.
Attackers gain access to sensitive data, which they then use to blackmail victims into paying a ransom in exchange for their private files to remain private and not be leaked online. Screenshots of the stolen files together with a countdown are published on Netwalker’s public shaming website. Victims are given one week to pay the ransom, and if they fail to do so everything that was on their affected machines is exposed.
According to a Flash Alert issued by the FBI and distributed among potential victims, Telerik UI and Pulse Secure VPN are two of the most common vulnerabilities exploited by attackers attempting to infiltrate an organization’s network and execute Netwalker.
A Brief History of Netwalker Ransomware Attacks
Although Netwalker has been around since the autumn of 2019, its status as a cyber-threat became apparent around March 2020, as previously mentioned. Actors employing the ransomware managed to sneak it into the networks of large organizations even before April’s change in tactics.
Attacks usually target establishments that pertain to the following four categories:
and private companies.
In the subsections below, you will find relevant examples detailed for each one.
1. Healthcare Providers
Netwalker ransomware made a name for itself by preying on the fear surrounding the Coronavirus pandemic. Therefore, it comes as no surprise that medical service providers are one of its largest targets.
For instance, the Crozer-Keystone Health System operating in the suburban Philadelphia area reported a ransomware attack mid-June 2020. The provider owns four hospitals, as well as four outpatient centers in Delaware County, Pennsylvania. Rich Lenonowitz, Crozer-Keystone’s Executive Communications and Crisis Communications Director, declined to comment on if and how these units were affected. However, he did declare that the provider’s security team quickly identified the threat and took the necessary measures to mitigate damages.
Sadly, other healthcare providers have been targeted by the Netwalker ransomware since the start of the COVID-19 crisis as well. One example is the Champaign-Urbana Public Health District in Illinois, USA. Its systems were taken offline due to an attack on the 10th of March.
An arguably more serious case is that of Brno University Hospital located in the Czech Republic. The country’s second-largest medical institution was attacked in the middle of the night on March 14th, 2020. This delayed the results of dozens of Coronavirus tests. The attack took place just two days before the president issued nationwide quarantine in the country.
The European healthcare system was also sought out by attackers, as several hospitals in Spain have fallen victim to the ransomware on March 25.
2. Educational Facilities
Several universities from the United States have been affected by Netwalker attacks as well. At the beginning of June, the actors behind the ransomware threat announced that they had attacked three educational institutions and obtained sensitive data such as student names, social security numbers, and financial information.
The affected universities were Michigan State University, Columbia College of Chicago, and the University of California San Francisco. The latter was one of the schools conducting Coronavirus treatment research through clinical trials and antibody testing.
3. Local Government
Unfortunately, local government is not safe from this cyber-threat either. The entire Austrian city of Weiz has also fallen victim to Netwalker ransomware in May of 2020. Hackers illicitly entered the village’s public network with Coronavirus-centric phishing emails. The subject of the messages was set to “information about the coronavirus”.
Public infrastructure employees were thus baited to click on the malicious links included in the email and infect computers in the network. While Weiz is by all means a small town, the production plants of large companies such as construction companies Lieb-Bau-Weiz and Strobl Constructions, and automaker Magna, are located there. The village is considered to be the economic center of the Oststeiermark region of Austria.
Country-wide governmental organizations are not safe from the looming threat of Netwalker either. As the ransomware continues to thrive, Argentina’s official immigration agency, the National Directorate of Immigration (Dirección Nacional de Migraciones), is the latest victim as of August 27th, 2020.
As per a statement issued by the Fiscal Unit Specialized in Cybercrime (Unidad Fiscal Especializada en Ciberdelincuencia), the infection was first noticed around 7 a.m., which led to computer networks being taken offline. This preventive measure was quickly applied in order to stop the ransomware from spreading, but it also led to a four-hour suspension of border crossings. After that, all systems were back online.
4. Private Organizations
Another preferred target for malicious ransomware attacks, Netwalker included, are private organizations, especially those in the transportation sector. Back in February of 2020, Australian company Toll Group was targeted by the ransomware. A leading provider of transportation and logistics services in the Asia Pacific region, the company employs over 44,000 people in 50 countries.
The ransomware attack was deployed on the night of February 2nd. Fortunately, the Toll Group quickly shut down multiple systems to stop its spread. No personal data was reported to have leaked as a result, but customer-facing operations were impacted in Australia, India, and the Philippines.
Come the fall of 2020, and Netwalker ransomware is still wreaking havoc in the global private sector. This time around, hackers targeted K-Electric, Pakistan’s largest private power supplier, and the sole provider of energy for the entire Sindh capital of Karachi. The plant employs over 10,000 people and ensures that the lights stay on for around 2.5 million citizens.
The cyberattack took place on the morning of September 7th and affected the company’s online billing services rather than the power supply per se. As of September 9th, K-Electric is still reportedly struggling to mitigate the damage. The hackers orchestrating the operation demanded a $3.8 million ransom and threatened to raise it to $7.7 million after one week.
The Shut Down of Netwalker
Sebastian Vachon-Desjardins was arrested by Canadian authorities on January 27, 2021, and the NetWalker ransomware gang shut down. He was extradited from Canada to the U.S. and sentenced by the U.S justice on October 4, 2022 to 20 years of prison.
To Sum It Up…
As always, being proactive is the best course of action when it comes to ransomware attacks. Waiting for a decryptor might be tempting, as it is the easiest way out, but in the meantime, it is your due diligence to protect your business and its assets from Netwalker, as well as other types of cybersecurity issues.
Neutralize ransomware before it can hit.
Heimdal™ Ransomware Encryption Protection
Specifically engineered to counter the number one security risk to any business – ransomware.
Blocks any unauthorized encryption attempts;
Detects ransomware regardless of signature;
Universal compatibility with any cybersecurity solution;
Alina Georgiana Petcu is a Product Marketing Manager within Heimdal™ Security and her main interest lies in institutional cybersecurity. In her spare time, Alina is also an avid malware historian who loves nothing more than to untangle the intricate narratives behind the world's most infamous cyberattacks.