NetWalker Ransomware Gang Hunts for Top-Notch Affiliates

netwalker ransomware as a service

The operators behind the Toll Group attack are taking applications for technically advanced partners.

The NetWalker ransomware – the scourge behind one of the recent Toll Group attacks – has transitioned to a ransomware-as-a-service (RaaS) model, and its operators are placing a heavy emphasis on targeting and attracting technically advanced affiliates, according to researchers.

Traditionally, “technically advanced” and RaaS don’t tend to go together – after all, one of the benefits of the RaaS model is that newbie threat actors can simply rent the infrastructure and the tools they need to carry out an attack, rather than develop anything themselves. In the case of NetWalker however, the operators are bucking that trend.

“The collective is selectively choosing the affiliates it collaborates with, creating an exclusive group of top-tier network intruders to execute its new RaaS business model,” said researchers with Advanced Intelligence, in a Tuesday posting. They added, “This new business model allows NetWalker to collaborate with other seasoned cybercriminals who already have access to large networks and have the ability to disseminate ransomware.”

NetWalker’s creators, according to the analysis, has two methods that it uses to distribute its ransomware. One is the typical phishing and spam avenue used by most malware operators; and the other is via large-scale network infiltration.

“NetWalker now claims a singular preference for network infiltration, which is novel to the Russian-speaking ransomware community,” explained the researchers, who added that in the advertisements on underground forums for the RaaS offering, the NetWalker group explicitly says that it prefers affiliates “who prioritize quality, not quantity” and stating that they have an interest “only in experienced, Russian-speaking network intruders – not spammers – with a preference for immediate, consistent work.”

NetWalker ad on the Dark Web for RaaS affiliates. Click to enlarge.

One of the members of a Russian-speaking forum told the researchers that interested RaaS candidates must apply to the affiliate program, and are subjected to a review by NetWalker group members.

NetWalker is not the only group however to have such standards. According to the Advanced Intelligence researchers, the group is following a trend established by the REvil group to pursue highest standards and rigid requirements for its RaaS candidates.

To sweeten the pot for applicants, the NetWalker operators offer to provide IP addresses, access to domain administrator accounts, network-attached storage (NAS) access, organization names and organization revenue information to its RaaS users. They also offer a generous revenue split for program participants, researchers said.

“What is especially noteworthy is NetWalker’s guarantee of providing decryption to the victims when the ransom is paid,” according to the analysis. “Additionally, the group’s percentage share – [20 percent for Netwalker and 80 percent for the affiliate] – can be considered very generous. To compare, GandCrab [REvil] offered 30/70 or even 40/60 shares.”

NetWalker Ransomware Changes

In addition to building out its RaaS program, the ransomware group has been honing its technology.

It claims that the code “works on all Windows operating systems from Windows 2000 onwards; the actor also claims that NetWalker not only encrypts network assets using a customizable, multi-threaded locker but also maps the breached networks, including resources such as NAS,” according to Advanced Intelligence. “As for the architecture of the ransomware itself, the [group’s] representative has explained [to us] that ‘the locker is located inside a [PowerShell] script,’ which circumvents the need to upload the payload to an external network. NetWalker claims that this feature helps deal with antivirus products, including Windows Defender.”

The group also advocates its ability to exfiltrate data from a target and publish it to a “blog” on underground forums as a form of double extortion. A group member sent researchers screenshots and links to the blog to verify its claims.

“This is a significant assertion, given both the credibility of the threat actor and the consequences this action could pose to entities that possess confidential or sensitive information,” according to the analysis. “On May 13th, the representative posted another update with references to targeted entities; most importantly, the post also included a link to the blog in which those entities’ data have been exfiltrated to. Judging from the existence of this blog, the actor’s threat to exfiltrate and publish victims’ data appears highly credible.”

Overall, NetWalker continues to evolve and hit targets, especially in the healthcare space, researchers said. Moreover, the size of the ransom payments it has posted ranges from hundreds of thousands to millions of dollars, they added.

“Netwalker is a rapidly evolving, credible actor that poses a significant threat, especially to the healthcare industry during the COVID-19 crisis,” they concluded. “It is likely that there will be more updates from, and attacks by, NetWalker in the weeks and months to come.”

Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.


Suggested articles