Netwalker

Malware updated 10 months ago (2024-11-29T14:20:23.241Z)
Download STIX
Preview STIX
NetWalker is a highly profitable ransomware kit, known for its ability to disable antivirus software on Windows 10 systems and encrypt files, adding a random extension to the encrypted ones. Once executed, it disrupts operations and can even hold data hostage for ransom. It has been observed that NetWalker often infiltrates systems through suspicious downloads, emails, or websites, notably through an attachment that allegedly contains information about COVID-19. This file, named “CORONAVIRUS_COVID-19.vbs”, embeds a NetWalker ransomware executable and obfuscated code to extract and launch this ransomware on the victim’s computer. Spain has been identified as a hotspot for infections from this malware. The malware has been linked with various threat actors and affiliates such as Bentley, Cherry, and Zeus, who have been delivering crypted malware samples. Notably, "zevs" ("zeus") is associated with the prominent distribution group Hive0106 (aka TA551), which used the gtags ‘zev,’ ‘zem’ and ‘zvs’ during their Trickbot campaigns. Some of these campaigns may be delivered by threat actors using the handles 'Netwalker' and 'Cherry,' believed to be working within the ITG23 organization. In addition, other types of ransomware like SunCrypt have adopted attacking techniques from NetWalker and Maze ransomware. In response to the widespread NetWalker ransomware attacks, particularly those targeting vulnerable Pulse Secure VPN devices for initial access, the FBI released Indicators of Compromise (IOCs) in July 2020. The Department of Justice also launched global action against NetWalker Ransomware to counteract its harmful effects. Despite these measures, NetWalker remains a significant threat due to its sophisticated techniques and high profitability.
Description last updated: 2024-05-04T16:16:09.132Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Netwalker Ransomware is a possible alias for Netwalker. NetWalker ransomware is a form of malicious software (malware) that targets vulnerable systems, often infiltrating them through suspicious downloads, emails, or websites. Notably, it has been observed to target vulnerable Pulse Secure VPN devices for initial access, as indicated by IOCs released by
5
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Bitcoin
Malware
RaaS
Extortion
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The cryptolocker Malware is associated with Netwalker. CryptoLocker is a type of malware known as ransomware that emerged as a significant cybersecurity threat. This malicious software infects systems through suspicious downloads, emails, or websites and then encrypts the user's documents, demanding a ransom for their recovery. It has been described as Unspecified
2
The TrickBot Malware is associated with Netwalker. TrickBot is a notorious malware developed by cybercriminals to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software can steal personal information, disrupt operations, or even hold data hostage for ransom. Vladimir Dunaev,Unspecified
2
The Lockbit Malware is associated with Netwalker. LockBit is a prominent ransomware-as-a-service (RaaS) malware that has been involved in numerous cyberattacks, demonstrating its staying power and adaptability. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computers orUnspecified
2
The REvil Malware is associated with Netwalker. REvil, also known as Sodinokibi, is a malicious software (malware) that operates on a Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, with first-stage malware like Dridex and Gootkit being linked to ransomware attacks such as BitPaymer and REvil respectively. ThUnspecified
2
The Ryuk Malware is associated with Netwalker. Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware invesUnspecified
2
The Maze Malware is associated with Netwalker. Maze is a form of malicious software, or malware, that pioneered a novel double-extortion tactic in the cyber threat landscape. Its modus operandi involves stealing victims' files before encrypting them, thereby enabling the threat actors to threaten both the disruption of operations and the releaseUnspecified
2
The Conti Malware is associated with Netwalker. Conti is a type of malware, specifically ransomware, which is designed to infiltrate and damage computer systems. This malicious software can enter systems through various methods such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personaUnspecified
2
The WastedLocker Malware is associated with Netwalker. WastedLocker is a sophisticated malware developed by the Evil Corp Group, a notorious cybercriminal organization. This malware is a form of ransomware that targets both Windows and Android devices, encrypting users' data and demanding a ransom for its release. Originating in 2020, WastedLocker utiliUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Sodinokibi Threat Actor is associated with Netwalker. Sodinokibi, also known as REvil, is a highly active and impactful threat actor first identified in April 2019. Operating as a ransomware-as-a-service (RaaS), this group has been responsible for a significant proportion of global ransomware incidents. In 2020, Sodinokibi ransomware attacks accounted Unspecified
2
Source Document References
Information about the Netwalker Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
a month ago
CrowdStrike
7 months ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
MITRE
2 years ago
CERT-EU
2 years ago
SecurityIntelligence.com
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
BankInfoSecurity
2 years ago
Securityaffairs
2 years ago
Flashpoint
2 years ago
Naked Security
2 years ago
CERT-EU
2 years ago
InfoSecurity-magazine
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago