NetWalker ransomware group has moved on from phishing for malware propagation to a network-intrusion model that focuses on large businesses only.
What is happening
NetWalker is a Ransomware-as-a-Service (RaaS) and thus, is dependent on partners to distribute the malware. However, the group has shifted to accept collaborators who are highly skilled in network intrusion.
Big league ransomware groups, such as REvil, made the shift from mass volume attacks to large corporations last year and thus, made the trend for other ransomware actors too. While some started buying network access, others built their specialized team for network-intrusion operations. NetWalker advertised their selection criteria on a Russian hacking forum.
- NetWalker is reportedly capable of exfiltrating data and publishing it to a blog. The claim has been supported by links to one such blog.
- NetWalker authors have asserted that their malware is functional on all Windows versions and has a customizable multi-threaded locker with several encryption settings.
- The configuration code that can be used to modify the settings for the encryption process has been discovered by Vitali Kremez.
- The researcher also wrote a YARA rule to identify this ransomware.
Not only are ransomware groups expanding their reach, but they are also changing their deployment tactics. NetWalker is rapidly expanding and is a credible threat actor. The group poses significant threat to the healthcare sector during the COVID-19 pandemic and it is likely that there will be more attacks by them in the near future.