Netwalker Ransomware

NetWalker ransomware is a form of malicious software (malware) that targets vulnerable systems, often infiltrating them through suspicious downloads, emails, or websites. Notably, it has been observed to target vulnerable Pulse Secure VPN devices for initial access, as indicated by IOCs released by the FBI. The malware is unique in that it is not compiled but written in PowerShell and executed directly in memory without storing the actual ransomware binary into the disk. This sophisticated approach allows it to stealthily disrupt operations and hold data hostage for ransom. The NetWalker ransomware has been associated with significant cyberattacks, including an attack on the ThyssenKrupp Materials group of companies based in the U.S. and Canada on December 28, 2020. It also used the global Covid-19 pandemic as a vector for infection, sending out emails with an attachment named “CORONAVIRUS_COVID-19.vbs” that contained an executable file for the ransomware. Once opened, the obfuscated code within the file would extract and launch the ransomware on the victim’s computer, encrypting files and demanding a ransom payment. In response to these widespread attacks, the Department of Justice launched a global action against NetWalker ransomware. In a coordinated effort with Bulgarian authorities, they managed to disrupt the ransomware's operations, disabling its dark web resources and arresting a Canadian citizen believed to be associated with the operation. Additionally, approximately $500,000 in cryptocurrency, which had been delivered by victims as ransom payments, was seized. These actions marked a significant step towards mitigating the threat posed by the NetWalker ransomware.