Ransomware is stealing the headlines in the recent past as new variants arise on a regular basis. With the prevailing situation, cyber attackers are exploiting the fear of Covid-19, thus causing victims to fall prey to ransom attacks.

In a nutshell, ransomware is a form of malicious software that target victim computers, limiting access and encrypting their files, until the victim pays a ransom.

If victims refuse to meet hackers’ demands, their data might be used for nefarious purposes. Following this, is a new ploy dubbed ‘NetWalker’. It popped-up initially in August 2019, named as Mailto, but various perpetrators have taken a shine to it in 2020.

Cybersecurity firm McAfee released a study detailing investigation on NetWalker, that has evolved to a more robust and stable ransomware-as-a-service (RaaS) model.

Now, this new NetWalker RaaS function, allows the malware to collaborate with other cybercriminals who already have access to large networks and have the ability to disseminate them.

It is interesting to note that members of the hacking group have been posting advertisements for a “ransomware affiliate program” in the month of March. NetWalker RaaS “prioritizes quality over quantity” and have invited Russian-speaking individuals to come aboard, who have experience with “large networks.”

The data revealed that the team has been carrying out high-profile attacks while alternatively posting on the top-tier Russian-language DarkWeb forums in order to expand its operations.

Additionally, the NetWalker team offered victim-centric material as incentives for potential affiliates such as IP addresses, organization name and revenue and access to admin accounts.

According to the research study, a large sum of bitcoins were linked to the NetWalker ransomware which suggests its extortion efforts are “effective” and that many victims have “succumbed to its criminal demands.”

Ramping up the Graph

In the past months, as the impact of the pandemic increased, NetWalker has become ‘extremely active.’ Especially, the ransomware has surged since moving to a RaaS model. NetWalker has made a name for itself in 2020, racking up around $29 million in extortion gains just since March.

In one transaction, the amount was split between four bitcoin addresses, which is a common situation in RaaS transactions, where the ransom payment is split between the RaaS operators and the affiliate who caused the infection.

The firm found that the “split is 80%, 10% and two 5% portions.” Also, in 23 other transactions, the payments were not split up and the only beneficiaries were the two bitcoin addresses receiving the 5-percent shares in the splits.

“The total amount of bitcoin extorted this way between 1 March 2020 and 27 July 2020 is 677 BTC,” analysts noted. “Additionally, the amount received from remaining transactions following the Ransomware-as-a-Service scheme by these addresses between 1 March 2020 and 27 July 2020 is 188 BTC.”

The total amount of extorted bitcoin that has been uncovered by tracing transactions to NetWalker related addresses is 2795 BTC between 1 March 2020 and 27 July 2020.

It is certain that this quarter alone NetWalker has been highly successful at extorting organizations for large amounts of money. This comes at a time when various sectors are struggling to cope with COVID loss and governments trying to keep businesses from going bankrupt.

“NetWalker is making millions off the backs of legitimate companies.”

Possible FAQ’s

Not only is NetWalker actively expanding its operations, but the group is also changing the way how ransomware is deployed. There are few ambiguities spanning around NetWalker ransomware which are addressed below.

ABR spoke to Chanesh and Jebanand, co-founders of Astaminds, an Indian-based digital enterprise solutions platform, on possibilities of ransomware prevention and early detection. Astaminds, that is expanding its base to Singapore and the USA, works on nascent technologies like blockchain, AI and cybersecurity to name few.

How does NetWalker infects computer systems?

Exploiting the current pandemic situation to infect computers, isn’t new to the NetWalker gang. Apart from enterprises, institutions and firms, the group has been targeting individuals and entities working in the health industry too.

The perpetrators send infected and poisoned emails disguised in the name Coronavirus or related to its information or crisis. When the target clicks the attached file in Word or Excel or PDF, their computers fall into deep pit.

The NetWalker criminals have also created bogus application dubbed “Sticky Password.” This legitimate-looking app is then used to extract files and folders from those victims who have fallen prey to this genuine-looking app.

Infected? What to do?

According to Astaminds directors, the first step is to analyze the type of ransomware. In an easier method, “if it is just a screen locking ransomware, then the system shall be isolated and restarted in safe mode and with the help of antivirus tools, the ransomware can be removed.”

While in case of ransomware affecting files and folders, it is best to use a proper decrypting tool to restore the locked files and folders, they noted. Although hackers delete the original data from the affected computer, taking a back-up, the deleted files can be restored using recovery tools.

What are the organizations that have fallen prey to NetWalker?

Victims have included Australian transportation and logistics firm Toll Group, the Champaign Urbana Public Health District (CHUPD) in Illinois, the Austrian city of Weiz, and most recently Michigan State University.

Should businesses pay ransom?

Jebanand said that, most of the ransomwares can be handled easily without paying a ransom.

“It is generally not advised to pay the ransom amount as there is no guarantee that the hacker will provide decryption methods and there is a possibility that he might have taken a copy of your files and can sell it in darkweb.”

He stressed that unless if the company sees a severe data breach that can harm the company’s reputation, then they can take a decision to negotiate with the hackers.

Preventive Measures

NetWalker ransomware has ravaged several industries including finance and educational institutions. Its recent shift to a business-centric model of RaaS is a clear indication that the ransomware is stepping up, and seems that it is following the footpaths of REvil (a criminal cyber-gang) and other RaaS groups.

Also, the perpetrators have proven their ability to refocus and capitalize on current events across the globe to lure individuals and firms, thus extorting exorbitant amounts.

“As development of the ransomware continues, we have witnessed recent shifts in activity that closely follow in the footsteps of other ransomware developments, including threatening victims with the release of confidential information if the ransom is not met,” McAfee researchers noted.

At the same time, many businesses have also invested in ransomware prevention. According to AJ Nash, Sr. Director of Cyber Intelligence Strategy at Anomali, an IT security company, cyber-criminals are not going to get out of the ransomware business anytime soon. He told an IT security news portal that extorting money through such ransomwares are just “too cheap and successful tactic.”

“Organizations can greatly reduce the threats posed by ransomware by doing a few simple things. Make sure you are managing and identifying assets, patching, training, automating where possible, and using intelligence to get ahead of the assaults,” he cited to SecurityWeek.

Sources: McAfee, Advanced-Intel, Astaminds, SecurityWeek

Follow Asia Blockchain Review on:

• Telegram: https://t.me/asiablockchainreview
• Facebook: https://www.facebook.com/pg/asiablockchainreview
• Twitter: https://twitter.com/abr_blockchain
• LinkedIn: https://www.linkedin.com/company/asia-blockchain-review/
• Website: https://www.asiablockchainreview.com/
• Email: [email protected]
• Youtube: https://www.youtube.com/channel/UCMQ5CVu0c9-pMlwB8LUvkiA

About the author

Sujha Sundararajan

Contributing Author

Sujha has been writing and reporting on cryptocurrencies and blockchain technology developments since 2014. Her work has appeared in CoinDesk, CCN, EconoTimes and Fintech News Malaysia. She is also an accomplished Indian classical singer and loves baking cakes.