Netwalker

Malware updated 7 months ago (2024-05-04T18:34:33.513Z)
Download STIX
Preview STIX
NetWalker is a highly profitable ransomware kit, known for its ability to disable antivirus software on Windows 10 systems and encrypt files, adding a random extension to the encrypted ones. Once executed, it disrupts operations and can even hold data hostage for ransom. It has been observed that NetWalker often infiltrates systems through suspicious downloads, emails, or websites, notably through an attachment that allegedly contains information about COVID-19. This file, named “CORONAVIRUS_COVID-19.vbs”, embeds a NetWalker ransomware executable and obfuscated code to extract and launch this ransomware on the victim’s computer. Spain has been identified as a hotspot for infections from this malware. The malware has been linked with various threat actors and affiliates such as Bentley, Cherry, and Zeus, who have been delivering crypted malware samples. Notably, "zevs" ("zeus") is associated with the prominent distribution group Hive0106 (aka TA551), which used the gtags ‘zev,’ ‘zem’ and ‘zvs’ during their Trickbot campaigns. Some of these campaigns may be delivered by threat actors using the handles 'Netwalker' and 'Cherry,' believed to be working within the ITG23 organization. In addition, other types of ransomware like SunCrypt have adopted attacking techniques from NetWalker and Maze ransomware. In response to the widespread NetWalker ransomware attacks, particularly those targeting vulnerable Pulse Secure VPN devices for initial access, the FBI released Indicators of Compromise (IOCs) in July 2020. The Department of Justice also launched global action against NetWalker Ransomware to counteract its harmful effects. Despite these measures, NetWalker remains a significant threat due to its sophisticated techniques and high profitability.
Description last updated: 2024-05-04T16:16:09.132Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Netwalker Ransomware is a possible alias for Netwalker. NetWalker ransomware is a form of malicious software (malware) that targets vulnerable systems, often infiltrating them through suspicious downloads, emails, or websites. Notably, it has been observed to target vulnerable Pulse Secure VPN devices for initial access, as indicated by IOCs released by
5
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
Bitcoin
Extortion
RaaS
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The REvil Malware is associated with Netwalker. REvil, also known as Sodinokibi, is a malicious software (malware) that operates on a Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, with first-stage malware like Dridex and Gootkit being linked to ransomware attacks such as BitPaymer and REvil respectively. ThUnspecified
2
The TrickBot Malware is associated with Netwalker. TrickBot is a notorious malware developed by cybercriminals to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software can steal personal information, disrupt operations, or even hold data hostage for ransom. Vladimir Dunaev,Unspecified
2
The Maze Malware is associated with Netwalker. Maze is a form of malicious software, or malware, that pioneered a novel double-extortion tactic in the cyber threat landscape. Its modus operandi involves stealing victims' files before encrypting them, thereby enabling the threat actors to threaten both the disruption of operations and the releaseUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Sodinokibi Threat Actor is associated with Netwalker. Sodinokibi, also known as REvil, is a highly active and impactful threat actor first identified in April 2019. Operating as a ransomware-as-a-service (RaaS), this group has been responsible for a significant proportion of global ransomware incidents. In 2020, Sodinokibi ransomware attacks accounted Unspecified
2
Source Document References
Information about the Netwalker Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
9 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
MITRE
a year ago
CERT-EU
a year ago
SecurityIntelligence.com
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
Securityaffairs
a year ago
Flashpoint
a year ago
Naked Security
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
MITRE
2 years ago