Netwalker

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
NetWalker is a highly profitable ransomware kit, known for its ability to disable antivirus software on Windows 10 systems and encrypt files, adding a random extension to the encrypted ones. Once executed, it disrupts operations and can even hold data hostage for ransom. It has been observed that NetWalker often infiltrates systems through suspicious downloads, emails, or websites, notably through an attachment that allegedly contains information about COVID-19. This file, named “CORONAVIRUS_COVID-19.vbs”, embeds a NetWalker ransomware executable and obfuscated code to extract and launch this ransomware on the victim’s computer. Spain has been identified as a hotspot for infections from this malware. The malware has been linked with various threat actors and affiliates such as Bentley, Cherry, and Zeus, who have been delivering crypted malware samples. Notably, "zevs" ("zeus") is associated with the prominent distribution group Hive0106 (aka TA551), which used the gtags ‘zev,’ ‘zem’ and ‘zvs’ during their Trickbot campaigns. Some of these campaigns may be delivered by threat actors using the handles 'Netwalker' and 'Cherry,' believed to be working within the ITG23 organization. In addition, other types of ransomware like SunCrypt have adopted attacking techniques from NetWalker and Maze ransomware. In response to the widespread NetWalker ransomware attacks, particularly those targeting vulnerable Pulse Secure VPN devices for initial access, the FBI released Indicators of Compromise (IOCs) in July 2020. The Department of Justice also launched global action against NetWalker Ransomware to counteract its harmful effects. Despite these measures, NetWalker remains a significant threat due to its sophisticated techniques and high profitability.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Netwalker Ransomware
5
NetWalker ransomware is a form of malicious software (malware) that targets vulnerable systems, often infiltrating them through suspicious downloads, emails, or websites. Notably, it has been observed to target vulnerable Pulse Secure VPN devices for initial access, as indicated by IOCs released by
Gozi Isfb
1
Gozi ISFB, also known as Ursnif and Dreambot, is a malicious software (malware) that has been actively developed and distributed worldwide. This malware is designed to exploit computer systems, primarily targeting the banking and financial sectors by stealing passwords and credentials from victims.
Smokeloader
1
SmokeLoader is a malicious software (malware) that has been extensively used by threat actors, particularly those associated with the Phobos ransomware. It functions as a backdoor trojan, often arriving on victims' systems via spoofed email attachments embedded with hidden payloads. Once downloaded,
Cherry
1
Cherry is a malicious software, or malware, that has recently impacted Cherry Health, a Michigan-based healthcare provider. The malware infiltrated the system through unknown means, disrupting operations and causing a significant ransomware attack. This incident underscores the security challenges f
ITG23
1
ITG23, also known as the Trickbot/Conti syndicate, is a significant threat actor that has been active since 2016 in the East European cybercrime arena. This group is renowned for its use of Reflective DLL Injection code in many of its crypters, with the presence of these crypters on a file sample be
Zloader
1
ZLoader is a type of malware, malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it has the capacity to steal personal information, disrupt operations, or even ho
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
Bitcoin
Extortion
RaaS
Fbi
Windows
Antivirus
Phishing
Encryption
Breachforums
flaw
Vpn
Vulnerability
Cybercrime
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
REvilUnspecified
2
REvil is a notorious form of malware, specifically ransomware, that infiltrates systems to disrupt operations and steal data. The ransomware operates on a Ransomware as a Service (RaaS) model, which gained traction in 2020. In this model, REvil, like other first-stage malware such as Dridex and Goot
TrickBotUnspecified
2
TrickBot is a notorious form of malware that infiltrates systems to exploit and damage them, often through suspicious downloads, emails, or websites. Once it has breached a system, TrickBot can steal personal information, disrupt operations, and even hold data hostage for ransom. It has been linked
MazeUnspecified
2
Maze is a type of malware, specifically ransomware, that gained notoriety in 2019 for its double extortion tactic. This malicious software infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Maze w
GoziUnspecified
1
Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c
DoppelpaymerUnspecified
1
DoppelPaymer is a form of malware, specifically ransomware, known for its high-profile attacks on large organizations and municipalities. Originally based on the BitPaymer ransomware, DoppelPaymer was reworked and renamed by the threat group GOLD HERON, after initially being operated by GOLD DRAKE.
EmotetUnspecified
1
Emotet is a highly dangerous and insidious malware that has resurfaced with increased activity this summer. Originally distributed via email attachments, it infiltrates systems often without the user's knowledge, forming botnets under the control of criminals for large-scale attacks. Once infected,
ContiUnspecified
1
Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
ClopUnspecified
1
Clop is a notorious malware, short for malicious software, known for its disruptive and damaging effects on computer systems. It primarily infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Clop can steal personal information, disrupt o
WastedLockerUnspecified
1
WastedLocker is a type of malware developed by the Evil Corp Group, known for its malicious activities. This malware variant was first identified in 2020 and is part of an evolution of ransomware that began with Dridex, followed by DoppelPaymer developed in 2019, and then WastedLocker. The malware i
cryptolockerUnspecified
1
CryptoLocker is a type of malware, specifically ransomware, that emerged as a significant threat to cybersecurity worldwide. This malicious software infiltrated systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, CryptoLocker encrypted user
Maze RansomwareUnspecified
1
Maze ransomware is a type of malware that emerged in 2019, employing a double extortion tactic to wreak havoc on its victims. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SodinokibiUnspecified
2
Sodinokibi, also known as REvil, is a significant threat actor first identified in April 2019. This ransomware family operates as a Ransomware-as-a-Service (RaaS) and has been responsible for one in three ransomware incidents responded to by IBM Security X-Force in 2020. The Sodinokibi ransomware st
DarkSideUnspecified
1
DarkSide is a notable threat actor that emerged in the cybersecurity landscape with its advanced ransomware operations. In 2021, the group gained significant attention for its attack on the United States' largest oil pipeline, Colonial Pipeline, causing a temporary halt to all operations for three d
Hive0106Unspecified
1
Hive0106, also known as TA551, is a notable threat actor recognized for its association with ITG23, another prominent entity in the cybercrime landscape. This partnership has been observed since mid-2021 by X-Force, a cybersecurity firm. Hive0106's primary role is as a distribution affiliate, delive
TA551Unspecified
1
TA551, also known as Hive0106, Shathak, and UNC2420, is a financially motivated threat group that has been active in the cybercrime landscape. This threat actor has been linked to various malware distribution activities, including those involving QakBot, IcedID, Emotet, Bumblebee, Gozi, and other ma
ZevsUnspecified
1
Zevs is a threat actor, identified as being affiliated with the prominent distribution group Hive0106 (also known as TA551). This affiliation was revealed through leaked chats, where there were several instances of Bentley delivering crypted malware samples to affiliates and partners such as Cherry,
SodinUnspecified
1
Sodin, also known as Sodinokibi or REvil, is a sophisticated threat actor that emerged in the first half of 2019. This entity quickly drew attention due to its unique methods of distribution and attack. It exploited an Oracle Weblogic vulnerability to distribute itself and targeted Managed Service P
MUMMY SPIDERUnspecified
1
Mummy Spider, a known eCrime group, is recognized for its development of the Emotet malware. This threat actor has been linked to various names such as Gold Crestwood, TA542, and Mealbug, showcasing its extensive reach and influence in cybercrime activities. The cybersecurity industry has identified
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Netwalker Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
5 months ago
How to protect hospitals against the ransomware Netwalker
CERT-EU
6 months ago
Infographic: A History of Network Device Threats and What Lies Ahead
CERT-EU
6 months ago
Infographic: A History of Network Device Threats and What Lies Ahead | #ransomware | #cybercrime | National Cyber Security Consulting
MITRE
7 months ago
Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds
CERT-EU
8 months ago
Connect the Dots on State-Sponsored Cyber Incidents - Disruption of NetWalker ransomware
SecurityIntelligence.com
8 months ago
ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
CERT-EU
9 months ago
Connect the Dots on State-Sponsored Cyber Incidents - Disruption of NetWalker ransomware
CERT-EU
10 months ago
How the FBI Fights Back Against Worldwide Cyberattacks
CERT-EU
a year ago
Ransomware as a Service (RaaS) Explained
CERT-EU
a year ago
What Is Double Extortion Ransomware?
BankInfoSecurity
a year ago
'Bulletproof' LolekHosted Down Following Police Operation
Securityaffairs
a year ago
Police dismantled bulletproof hosting service provider Lolek Hosted
Flashpoint
a year ago
Administrator of ‘Bulletproof’ Webhosting Domain Charged in Connection with Facilitation of NetWalker Ransomware
Naked Security
a year ago
Crimeware server used by NetWalker ransomware seized and shut down
CERT-EU
a year ago
LolekHosted seized, five admins arrested following police operation
InfoSecurity-magazine
a year ago
Authorities Take Down Lolek Bulletproof Hosting Provider
CERT-EU
a year ago
DOJ Reorganizes Units to Better Fight Ransomware
CERT-EU
a year ago
DOJ Reorganizes Units to Better Fight Ransomware
CERT-EU
a year ago
Cyber Security Today, Week in Review for Friday, July 7, 2023 | IT World Canada News
MITRE
a year ago
Shining a Light on DARKSIDE Ransomware Operations | Blog | Mandiant