Netwalker

Malware updated 4 months ago (2024-05-04T18:34:33.513Z)
Download STIX
Preview STIX
NetWalker is a highly profitable ransomware kit, known for its ability to disable antivirus software on Windows 10 systems and encrypt files, adding a random extension to the encrypted ones. Once executed, it disrupts operations and can even hold data hostage for ransom. It has been observed that NetWalker often infiltrates systems through suspicious downloads, emails, or websites, notably through an attachment that allegedly contains information about COVID-19. This file, named “CORONAVIRUS_COVID-19.vbs”, embeds a NetWalker ransomware executable and obfuscated code to extract and launch this ransomware on the victim’s computer. Spain has been identified as a hotspot for infections from this malware. The malware has been linked with various threat actors and affiliates such as Bentley, Cherry, and Zeus, who have been delivering crypted malware samples. Notably, "zevs" ("zeus") is associated with the prominent distribution group Hive0106 (aka TA551), which used the gtags ‘zev,’ ‘zem’ and ‘zvs’ during their Trickbot campaigns. Some of these campaigns may be delivered by threat actors using the handles 'Netwalker' and 'Cherry,' believed to be working within the ITG23 organization. In addition, other types of ransomware like SunCrypt have adopted attacking techniques from NetWalker and Maze ransomware. In response to the widespread NetWalker ransomware attacks, particularly those targeting vulnerable Pulse Secure VPN devices for initial access, the FBI released Indicators of Compromise (IOCs) in July 2020. The Department of Justice also launched global action against NetWalker Ransomware to counteract its harmful effects. Despite these measures, NetWalker remains a significant threat due to its sophisticated techniques and high profitability.
Description last updated: 2024-05-04T16:16:09.132Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Netwalker Ransomware
5
NetWalker ransomware is a form of malicious software (malware) that targets vulnerable systems, often infiltrating them through suspicious downloads, emails, or websites. Notably, it has been observed to target vulnerable Pulse Secure VPN devices for initial access, as indicated by IOCs released by
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
Bitcoin
Extortion
RaaS
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
REvilUnspecified
2
REvil is a type of malware, specifically ransomware, that has been linked to significant cyber attacks. It emerged as part of the Ransomware as a Service (RaaS) model that gained popularity in 2020. This model established relationships between first-stage malware and subsequent ransomware attacks, s
TrickBotUnspecified
2
TrickBot is a notorious malware that has been used extensively by cybercriminals to exploit and damage computer systems. It operates as a crimeware-as-a-service platform, infecting systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can stea
MazeUnspecified
2
Maze is a type of malware, specifically ransomware, that gained notoriety in 2019 for its double extortion tactic. This malicious software infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Maze w
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
SodinokibiUnspecified
2
Sodinokibi, also known as REvil, is a significant threat actor first identified in April 2019. This ransomware family operates as a Ransomware-as-a-Service (RaaS) and has been responsible for one in three ransomware incidents responded to by IBM Security X-Force in 2020. The Sodinokibi ransomware st
Source Document References
Information about the Netwalker Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
6 months ago
How to protect hospitals against the ransomware Netwalker
CERT-EU
8 months ago
Infographic: A History of Network Device Threats and What Lies Ahead
CERT-EU
8 months ago
Infographic: A History of Network Device Threats and What Lies Ahead | #ransomware | #cybercrime | National Cyber Security Consulting
MITRE
9 months ago
Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds
CERT-EU
10 months ago
Connect the Dots on State-Sponsored Cyber Incidents - Disruption of NetWalker ransomware
SecurityIntelligence.com
10 months ago
ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
CERT-EU
a year ago
Connect the Dots on State-Sponsored Cyber Incidents - Disruption of NetWalker ransomware
CERT-EU
a year ago
How the FBI Fights Back Against Worldwide Cyberattacks
CERT-EU
a year ago
Ransomware as a Service (RaaS) Explained
CERT-EU
a year ago
What Is Double Extortion Ransomware?
BankInfoSecurity
a year ago
'Bulletproof' LolekHosted Down Following Police Operation
Securityaffairs
a year ago
Police dismantled bulletproof hosting service provider Lolek Hosted
Flashpoint
a year ago
Administrator of ‘Bulletproof’ Webhosting Domain Charged in Connection with Facilitation of NetWalker Ransomware
Naked Security
a year ago
Crimeware server used by NetWalker ransomware seized and shut down
CERT-EU
a year ago
LolekHosted seized, five admins arrested following police operation
InfoSecurity-magazine
a year ago
Authorities Take Down Lolek Bulletproof Hosting Provider
CERT-EU
a year ago
DOJ Reorganizes Units to Better Fight Ransomware
CERT-EU
a year ago
DOJ Reorganizes Units to Better Fight Ransomware
CERT-EU
a year ago
Cyber Security Today, Week in Review for Friday, July 7, 2023 | IT World Canada News
MITRE
2 years ago
Shining a Light on DARKSIDE Ransomware Operations | Blog | Mandiant