McAfee specialists studied NetWalker ransomware, traced hackers' bitcoin wallets and countedhow much they earn. It turned out that in terms of "profitability" NetWalker can be compared with Ryuk or REvil, since since March 2020, the ransomware has brought its operators about $ 25 million.
NetWalker was discovered in August 2019. Initially, the ransomware was named Mailto, but then the researchers renamed it NetWalker. The malware works according to the RaaS (ansomware-as-a-service) model: attackers register on a special portal and are tested, after which they can create their own versions of the ransomware.
The NetWalker authors prefer to collaborate with hack groups that are interested in targeted attacks against large companies, rather than the mass user. This approach allows ransomware to ask for larger ransoms, because large companies lose large sums of money during the forced downtime and sometimes it really is more profitable for them to pay.
McAfee experts write that NetWalker attacks often occur through vulnerabilities in Oracle WebLogic and Apache Tomcat, poorly protected RDP endpoints, as well as phishing attacks on employees of the target company. Also recently, FBI specialists warnedthat NetWalker operators began using exploits for vulnerabilities in Pulse Secure VPN (CVE-201911510) and for web applications using Telerik UI for attacks (CVE-2019-18935).
American law enforcement and information security experts at McAfee note that in recent months, the group's activity has increased significantly. For example, at present, the most famous victim of NetWalker is Michigan State University, which was infected by the ransomware at the end of May this year. At the same time, according to McAfee, NetWalker poses a threat not only to American companies, but also to companies from Western Europe.
Experts attribute the success of NetWalker to the fact that the authors of the ransomware have their own website, where they publish data stolen from companies if they refuse to pay. This helps criminals to put additional pressure on victims, as many of them fear that their intellectual property or sensitive user data will be in the public domain.