The NetWalker ransomware has been around for about a year, but it has really made a name for itself in 2020, racking up around $29 million in extortion gains just since March.
First detected in August 2019, NetWalker lingered around before surging in use in March through June, according to an analysis from McAfee Advanced Threat Research (ATR). The uptick coincided with the implementation of a robust ransomware-as-a-service (RaaS) model, which has been attracting technically advanced criminal affiliates.
“NetWalker RaaS prioritizes quality over quantity and is looking for people who are Russian-speaking and have experience with large networks,” the firm noted, in an analysis published Monday. “People who already have a foothold in a potential victim’s network and can exfiltrate data with ease are especially sought after. This is not surprising, considering that publishing a victims’ data is part of NetWalker’s model.”
This is reflected in some of the strikes attributed to the NetWalker malware, which are mainly targeted at large organizations in Europe and North America. These have included hits for transportation giant Toll Group, the University of California San Francisco and, most recently, French smart-battery company Forsee. Also, a recent FBI Alert warned that NetWalker ransomware attackers are now targeting U.S. and foreign government organizations.
Many organizations appear to be paying up: “McAfee discovered a large sum of Bitcoins linked to NetWalker, which suggests its extortion efforts are effective and that many victims have had no option other than to succumb to its criminal demands,” according to researchers.
Raking in Cash
The malware’s operators made some changes in their marketing approach that took effect in March, when its uptick began.
Someone going by the handle “Bugatti” began actively advertising the NetWalker RaaS at that time – and researchers speculated that, given the strength of NetWalker’s reputation on underground forums, “the individual behind Bugatti is most likely a well-respected and experienced cybercriminal.”
The individual is also highly proactive.
“Bugatti provides regular updates on the improvements in the ransomware, such as the popular Invoke-ReflectivePEInjection method, also commonly used by Sodinokibi,” researchers said in the posting. “In addition to the improvements in the ransomware, open slots for new affiliates are advertised. Bugatti strongly emphasized that they are primarily looking for experienced affiliates that focus on compromising the complete networks of organizations as opposed to end users. NetWalker is clearly following in the footsteps of its illustrious targeted ransomware peers like Sodinokibi, Maze and Ryuk.”
In the course of their investigation, researchers noticed one forum message that had screenshots of several partial Bitcoin addresses and dollar amounts. Using the CipherTrace software, they were able to track down the complete Bitcoin addresses from the screenshot and investigate the ledger further.
“Since the Bitcoin blockchain is a publicly accessible ledger, we can follow the money and see where the ransomware actors are transferring it to,” the report explained.
In one transaction, the amount was split between four different Bitcoin addresses – a common situation in RaaS transactions, analysts noted, because the payment is split between the RaaS operators and the affiliate(s). In this observed case, the splits were 80 percent, 10 percent and two 5 percent portions.
“While the [NetWalker operator] beneficiaries of the 5 percent cuts remain the same, the beneficiary of the 10 percent cut seems to change over time,” the researchers noted. “Based on the forum post, we assume these addresses also belong to the NetWalker actors.”
Meanwhile, around 30 unique Bitcoin addresses were the beneficiaries of the 80 percent splits – representing the affiliates.
The firm also found 23 transactions where the ransom payments were not split up, and the only beneficiaries were the two Bitcoin addresses receiving the 5-percent shares in the splits.
“The total amount of Bitcoin extorted this way between 1 March 2020 and 27 July 2020 is 677 BTC,” according to researchers. “Additionally, the amount received from remaining transactions following the ransomware-as-a-service scheme by these addresses between 1 March 2020 and 27 July 2020 is 188 BTC…[also we saw] a total of 1723 BTC being transferred to affiliates.”
In total, that adds up to 2,588 BTC, which at today’s exchange rate translates to $29,111,118.
Technical Changes
The malware itself has also undergone a few changes since March. For instance, the latest NetWalker ransom note drops a request for email communication from the proceedings, in favor of requiring victims to contact the attackers via a NetWalker Tor interface. There, after submitting a user key, victims are redirected to a chat with NetWalker technical support, where they can pay the ransom.
The actors also moved away from using legacy Bitcoin addresses to SegWit addresses.
“The benefits of using the newer SegWit addresses include faster transaction time and lower transaction cost,” according to researchers. “The NetWalker advertisement on the underground forum mentions instant and fully automatic payments around the time of this observed change. This makes us believe the ransomware actors were professionalizing their operation just before expanding to the ransomware-as-a-service model.”
The NetWalker malware uses a custom resource type (1337 or 31337) containing its entire configuration, researchers explained. NetWalker uses its configuration file in the resource to set its encryption mode, the name of the ransom note, contact information (post-March, that means specifying the NetWalker blog URL/payment page instead of an email address) and more.
“This file is extracted to memory and decrypted using the RC4 algorithm with a hard-coded key in the resource,” according to the analysis. “If the malware fails to get the configuration file, it will terminate itself.”
Overall, ransomware has evolved into a lucrative business for threat actors, especially with the rise of RaaS models – from underground forums selling ransomware, to offering services such as support portals to guide victims through acquiring crypto currency for payment, to the negotiation of the ransom.
“The recent shift to a business-centric model of ransomware-as-a-service is a clear sign that it is stepping up, so it seems that the NetWalker group is following in the footsteps of REvil and other successful RaaS groups,” the firm concluded. “The ransomware developers have proven the ability to refocus and capitalize on current world events and develop lures to help ensure the effectiveness of the ransomware, which has allowed them to become selective of their affiliates by limiting access to the ransomware to only those with vetted access to large organizations. As development of the ransomware continues, we have witnessed recent shifts in activity that closely follow in the footsteps of other ransomware developments, including threatening victims with the release of confidential information if the ransom is not met.”
Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts from Microsoft and Fortanix together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us Wednesday Aug. 12 at 2pm ET for this FREE live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both with the Confidential Computing Consortium. Register Now.