The ransomware, which was originally known as Mailto, was first identified in August 2019 and has morphed into a number of different iterations that have wrought havoc online over the past 12 months.
McAfee’s Advanced Threat Research has identified a surge in Netwalker ransomware attacks over the past four months in particular and says the efficacy of the attacks is evident in the sheer value of Bitcoin handed over by victims.
The security firm was able to identify the Bitcoin addresses used by attackers thanks to posts in an underground forum which enabled McAfee to make an educated, estimated value of funds that have been extorted from March 2020.
By tracing various addresses linked to the two main Bitcoin public addresses used by Netwalker, McAfee estimates that 2795 BTC, worth $25 mln, were extracted from victims in the past four months alone.
An evolving ransomware
This particular piece of ransomware has evolved since it was first identified in 2019 and the method of attack and correspondence with victims has changed as well.
In 2019 the Netwalker ransomware would gain access to a user’s system and would require correspondence via email in order for victims to decrypt their affected files and system. In 2020 the attackers changed this method, requiring victims to enter correspondence through a portal on Tor browser.
In order to regain access to their system, victims would have to send the attackers an agreed amount in BTC. This would then prompt the Netwalker attackers to deliver a program that would decrypt the files.
Another interesting evolution in the modus operandi of the Netwalker operators was a switch from legacy Bitcoin addresses to new Segwit addresses. This gives the attackers the benefit of faster transaction times and lower network fees.
The group behind the Netwalker ransomware has also been actively advertising the use of the Ransomware-as-a-Service (RaaS) on a couple of unidentified, but ‘well-known’ darknet forums.
Posting under the pseudonym Bugatti, the group advertises the use of the Netwalker ransomware to participants that meet certain criteria. This includes would-be partners that have access to large networks.
It seems that the focus is on targeting larger organisations as opposed to individual users around the world – which will net far higher ransoms. This also necessitates potential affiliates to be highly skilled and it seems that new Netwalker partners are only advertised for when there is a vacancy within the group.
The ransoms are shared between the actual operators of the Netwalker RaaS and the affiliate that carried out the infection of a victim’s system. McAfee identified that the split of the takings is 80-20 percent between the operators and the affiliate.
As The Daily Chain previously reported, ransomware attacks seem to be on the rise amid a bullish outlook for the overall cryptocurrency market.
The attacks have been fairly high profile as well, with the likes of US based travel firm CWT and US tech firm Garmin having paid $10mln ransoms in cryptocurrencies to wrestle back control of various affected functions within both organisations.