Table of Contents
Netwalker ransomware emerged as a significant and destructive threat in the cybercrime landscape, particularly gaining notoriety for its ruthless targeting of organizations, including the healthcare sector during the peak of the COVID-19 pandemic. Operating under a Ransomware-as-a-Service (RaaS) model, Netwalker enabled numerous affiliates to launch devastating attacks globally, resulting in tens of millions of dollars in losses and severe operational disruptions. This article provides a deep dive into the Netwalker operation, examining its origins, tactics, targets, notable campaigns, and crucial defense strategies for security professionals aiming to combat such threats. Understanding Netwalker's lifecycle, from its initial detection to its eventual disruption by international law enforcement, offers valuable lessons in the ongoing fight against ransomware.
Origins & Evolution
Netwalker, initially identified as Mailto ransomware, first surfaced in the latter half of 2019, with evidence suggesting development activities as early as August 2019 and initial discoveries around September 2019. Security researchers, including CrowdStrike, attributed the development and operation of Netwalker to a Russian-speaking cybercriminal group designated as CIRCUS SPIDER.
Initially, Netwalker appeared to operate more privately, but it quickly transitioned into a sophisticated Ransomware-as-a-Service (RaaS) model around March 2020. This shift significantly amplified its reach and impact. Under the RaaS model, the core Netwalker operators (CIRCUS SPIDER) provided the ransomware payload, payment infrastructure (including Tor-based sites), leak sites, and technical support. Affiliates, often experienced network intruders recruited through dark web forums, were responsible for gaining access to victim networks and deploying the ransomware. This model operated on a profit-sharing basis, with affiliates typically retaining a large percentage (around 80-84%) of the ransom payments, while the Netwalker operators took the remaining cut (16-20%).
Over time, Netwalker's tactics evolved. Early campaigns in 2020 often involved broader distribution via spam emails containing malicious VBScripts. However, by April 2020, the group shifted towards "Big Game Hunting" (BGH), focusing on high-value targets like large corporations, healthcare facilities, educational institutions, and government agencies. They increasingly adopted the "double extortion" tactic, exfiltrating sensitive victim data before encryption and threatening to leak it publicly on their dedicated dark web blog if the ransom wasn't paid. This evolution demonstrated increasing sophistication and alignment with trends seen across other major ransomware operations like Maze and REvil. The operation faced a major disruption in January 2021 due to a coordinated international law enforcement effort, leading to the arrest of a key affiliate and the seizure of infrastructure and illicit proceeds. It is crucial to understand the incident response lifecycle to effectively combat such threats.
Tactics & Techniques
Netwalker operated with a combination of common and sophisticated TTPs, leveraging its RaaS model to scale attacks effectively.
Mode of Operandi (RaaS): The core of Netwalker's operation was its RaaS model. CIRCUS SPIDER maintained the ransomware code, payment portals, and data leak site. Affiliates were recruited based on their ability to compromise networks. This division of labor allowed the operators to focus on development and infrastructure while affiliates handled the intrusion and deployment phases, maximizing the number of potential attacks.
Key Attack Stages & TTPs:
Initial Access: Netwalker affiliates employed multiple vectors to gain entry:
Phishing Emails: Often using timely lures, such as COVID-19 related information, containing malicious attachments (e.g., VBScripts) or links.
Exploiting Vulnerabilities: Targeting unpatched public-facing applications and VPNs, notably including CVE-2019-11510 (Pulse Secure VPN), CVE-2019-18935 (Telerik UI for ASP.NET AJAX), and CVE-2019-19781 (Citrix ADC/Gateway).
Compromised RDP Credentials: Exploiting weak or stolen Remote Desktop Protocol credentials.
Compromised Environments: Leveraging pre-existing access obtained through other means or purchased from initial access brokers.
Execution & Deployment:
PowerShell: Frequently used PowerShell scripts to download and execute the ransomware payload in memory, sometimes injecting it into legitimate processes.
Process Hollowing: Employed techniques like process hollowing to inject the ransomware code into legitimate running processes (e.g.,
explorer.exe) to evade detection by security tools.Cobalt Strike: Affiliates often used penetration testing frameworks like Cobalt Strike for post-exploitation activities before deploying the ransomware.
Defense Evasion:
Disabling Security Tools: Attempted to terminate processes and services related to security software and backups.
Deleting Shadow Copies: Routinely used
vssadmin.exe delete shadows /all /quietor similar commands to delete Volume Shadow Copies, hindering system restore capabilities.Dynamic API Resolution: The ransomware dynamically resolved Windows API functions at runtime, making static analysis more difficult.
Configuration Encryption: The embedded configuration file (containing ransom note templates, exclusion lists, encryption keys, etc.) was often RC4 encrypted.
Persistence: Some variants established persistence by creating registry Run keys or scheduled tasks, ensuring the malware would execute again after a reboot. The executable was often copied to standard locations like
C:\Program Files\. You can explore Windows Registry Structure to understand how these keys work.Discovery: Once inside, the malware scanned for local drives and accessible network shares (including administrative shares like Admin$) to identify files for encryption.
Data Exfiltration (Double Extortion): Before initiating encryption, affiliates exfiltrated large volumes of sensitive data from the victim's network to external servers. This stolen data served as leverage for the ransom demand.
Impact (Encryption):
Netwalker encrypted files using strong encryption algorithms (reports mention Salsa20).
It appended a unique extension to encrypted files and dropped a ransom note (often customized per victim, based on the embedded base64 encoded template) in affected directories. The note contained instructions for contacting the attackers via a Tor portal and making the payment, usually in Bitcoin.
Command and Control (C2): Communication for ransom negotiation and data leakage occurred primarily through dedicated Tor-based websites controlled by the Netwalker operators. Keeping an eye on IOC is also an effective method.
Targets or Victimology
Netwalker's targeting strategy evolved but consistently aimed for maximum financial gain and operational disruption.
Motivations: Primarily financial gain through ransom payments. The public nature of their leak site also suggests a secondary motivation of building notoriety within the cybercriminal underground.
Potential Impact:
Data Breach: Significant risk of sensitive data exposure due to the double extortion tactic.
Operational Disruption: Encryption of critical systems led to severe downtime, impacting business continuity, patient care (in healthcare), public services, and educational activities.
Financial Loss: Direct costs from ransom payments (often substantial), plus indirect costs related to recovery, remediation, legal fees, and reputational damage.
Targeted Industries: While initially broad, Netwalker became infamous for targeting:
Healthcare: Hospitals, clinics, and health systems were frequently hit, even during the COVID-19 pandemic, causing significant ethical concerns and operational risks. The healthcare industry is facing increasing healthcare data breaches.
Education: School districts, colleges, and universities were major targets.
Government: Municipalities, law enforcement agencies, emergency services, and national agencies (like Argentina's immigration directorate).
Private Sector: Various companies across manufacturing, logistics, energy, and technology sectors.
Targeted Regions: Netwalker operated globally but had a significant concentration of victims in North America (especially the U.S.) and Europe. Attacks were also confirmed in South America (Argentina), Asia (Pakistan), and Australia. Notably, the group reportedly prohibited affiliates from targeting organizations within Russia and the Commonwealth of Independent States (CIS).
Attack Campaigns
Netwalker was responsible for numerous high-profile attacks between 2019 and early 2021. Some notable campaigns and victims include:
Healthcare Sector: Attacks on organizations like the Champaign-Urbana Public Health District (Illinois), Crozer-Keystone Health System (Pennsylvania), Wilmington Surgical Associates, and numerous hospitals in Europe (e.g., Brno University Hospital in the Czech Republic during COVID testing) highlighted their disregard for potential human cost.
Educational Institutions: Michigan State University, University of California San Francisco (UCSF, involved in COVID-19 research), and Columbia College Chicago were among the prominent educational victims, often facing large ransom demands and data leaks.
Government Agencies: The attack on Argentina's National Directorate of Immigration (Dirección Nacional de Migraciones) temporarily halted border crossings. Attacks on municipalities like the City of Weiz, Austria, also caused significant disruption.
Private Companies: Large organizations like the Australian logistics giant Toll Group (hit multiple times) and Pakistan's K-Electric power supplier suffered major operational impacts and data theft.
The UCSF attack was particularly notable, as the university publicly acknowledged paying a $1.14 million ransom to recover data related to academic work. The coordinated law enforcement action in January 2021, which involved authorities in the U.S. and Bulgaria, led to the takedown of Netwalker's dark web infrastructure used for publishing stolen data and negotiating ransoms. Additionally, Canadian national Sebastien Vachon-Desjardins, identified as one of Netwalker's most prolific affiliates, was arrested and later extradited to the U.S., effectively dismantling a significant portion of the operation. There are still many cybercriminals that the authorities are dealing with.
Defenses
Defending against sophisticated RaaS operations like Netwalker requires a multi-layered security strategy focusing on prevention, detection, and response.
Patch Management: Regularly patch operating systems, VPN appliances (especially those with known exploited CVEs like Pulse Secure, Citrix), web applications (like Telerik UI), and other software to close known vulnerabilities used for initial access. A proper patch management strategy is a must.
Email Security: Implement robust email filtering solutions to block phishing emails and malicious attachments. Conduct regular security awareness training for employees to help them identify and report phishing attempts.
Access Control:
Enforce strong, unique passwords for all accounts, especially administrative and remote access accounts.
Implement Multi-Factor Authentication (MFA) wherever possible, particularly for VPN access, RDP, and critical system logins.
Apply the principle of least privilege, ensuring users only have access necessary for their roles.
Network Security:
Secure RDP access by disabling it if unnecessary, placing it behind VPNs/gateways, using strong passwords/MFA, and enabling Network Level Authentication (NLA).
Segment networks to limit lateral movement potential for attackers.
Monitor network traffic for unusual patterns, C2 communication, and large data exfiltration attempts.
Endpoint Protection: Deploy and maintain up-to-date endpoint detection and response (EDR) solutions capable of detecting behavioral anomalies, PowerShell abuse, process injection, and known ransomware indicators. Configure anti-ransomware features if available.
Backup and Recovery:
Implement a comprehensive backup strategy (e.g., 3-2-1 rule: three copies, two different media, one offsite).
Ensure backups are immutable or air-gapped to protect them from being deleted or encrypted by ransomware.
Regularly test backup restoration procedures to ensure they work effectively in an emergency.
PowerShell Security: Implement PowerShell logging and constrain language mode where possible to limit its abuse by attackers.
Incident Response Plan: Develop and regularly test an incident response plan specifically addressing ransomware attacks. This should include steps for isolation, containment, eradication, recovery, and reporting (including contacting law enforcement like the FBI/IC3).
Threat Intelligence: Utilize threat intelligence feeds to stay informed about active ransomware TTPs, indicators of compromise (IOCs), and targeted vulnerabilities. A SIEM can also help to monitor these threats.
MITRE ATT&CK Techniques Employed by Netwalker
|
Tactic
|
Technique ID
|
Technique Name
|
Description
|
|---|---|---|---|
|
Reconnaissance
|
T1592
|
Gather Victim Host Information
|
Affiliates gather info about target systems before deploying.
|
|
Resource Development
|
T1587.001
|
Develop Capabilities: Malware
|
CIRCUS SPIDER developed and maintained the Netwalker payload.
|
|
Initial Access
|
T1566
|
Phishing
|
Used email lures (e.g., COVID-19) with malicious attachments or links.
|
|
T1190
|
Exploit Public-Facing Application
|
Exploited vulnerabilities in VPNs (Pulse Secure), Web Apps (Telerik UI), Citrix Gateway.
|
|
|
T1078
|
Valid Accounts
|
Exploited weak or compromised credentials, especially for RDP.
|
|
|
Execution
|
T1059.001
|
Command and Scripting Interpreter: PowerShell
|
Frequently used PowerShell for downloading payloads and fileless execution.
|
|
T1204.002
|
User Execution: Malicious File
|
Relied on users opening malicious email attachments (e.g., VBScripts).
|
|
|
Persistence
|
T1547.001
|
Boot or Logon Autostart Execution: Registry Run Keys
|
Some variants added registry keys for persistence.
|
|
T1053.005
|
Scheduled Task/Job: Scheduled Task
|
Potential use of scheduled tasks for persistence or execution.
|
|
|
Privilege Escalation
|
T1078
|
Valid Accounts
|
Used compromised privileged accounts for broader access.
|
|
Defense Evasion
|
T1490
|
Inhibit System Recovery
|
Deleted Volume Shadow Copies using
vssadmin. |
|
T1055.012
|
Process Injection: Process Hollowing
|
Injected code into legitimate processes like
explorer.exe. |
|
|
T1027
|
Obfuscated Files or Information
|
Embedded configuration was often RC4 encrypted. Used dynamic API resolution.
|
|
|
T1562.001
|
Impair Defenses: Disable or Modify Tools
|
Attempted to terminate security software processes.
|
|
|
Discovery
|
T1083
|
File and Directory Discovery
|
Scanned local drives and network shares for files to encrypt.
|
|
T1135
|
Network Share Discovery
|
Specifically looked for accessible network shares, including Admin$.
|
|
|
T1082
|
System Information Discovery
|
Gathered basic system info to tailor attack or ransom note.
|
|
|
Lateral Movement
|
T1021.001
|
Remote Services: Remote Desktop Protocol
|
Used RDP for moving within the network if credentials were obtained.
|
|
T1021.002
|
Remote Services: SMB/Windows Admin Shares
|
Moved laterally and encrypted files via network shares.
|
|
|
Collection
|
T1119
|
Automated Collection
|
Ransomware automatically collected files for encryption.
|
|
T1560
|
Archive Collected Data
|
Data likely staged and archived before exfiltration.
|
|
|
Command & Control
|
T1071.001
|
Application Layer Protocol: Web Protocols
|
Used Tor-based web portals for ransom negotiation and data leak site.
|
|
T1105
|
Ingress Tool Transfer
|
PowerShell used to download ransomware payload. Cobalt Strike beacons used by affiliates.
|
|
|
Exfiltration
|
T1041
|
Exfiltration Over C2 Channel
|
Likely exfiltrated data over standard protocols (HTTPS) or custom channels before encryption.
|
|
T1567.002
|
Exfiltration Over Web Service: Exfiltration to Cloud
|
Stolen data uploaded to attacker-controlled storage before being posted on leak site.
|
|
|
Impact
|
T1486
|
Data Encrypted for Impact
|
Core function: encrypted files using Salsa20 and demanded ransom.
|
|
T1490
|
Inhibit System Recovery
|
Deleting backups/shadow copies increased impact and pressure to pay.
|
|
|
T1485
|
Data Destruction
|
Deleting shadow copies constitutes a form of data destruction aimed at hindering recovery.
|
Conclusion
Netwalker ransomware stands as a stark example of the effectiveness and destructive potential of the RaaS model. Spearheaded by the CIRCUS SPIDER group, it inflicted significant financial and operational damage across critical sectors globally, most notably targeting healthcare during a global pandemic. Its use of double extortion tactics, multiple intrusion vectors, and sophisticated evasion techniques made it a formidable threat. While international law enforcement action successfully disrupted the core operation and led to key arrests, the underlying RaaS ecosystem persists. The Netwalker case underscores the critical need for robust, multi-layered cybersecurity defenses, continuous vigilance, employee training, and international cooperation to combat the evolving ransomware threat landscape. SOAR can help with automation and orchestration.
Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.
You may also like these articles:
• Ransomware Payments Drop 35% in 2024 as Law Enforcement Disrupts Cybercrime
• Russian Ransomware Hackers Exploit Microsoft Teams as Fake Tech Support Scam
• Top 10 Advanced Persistent Threat (APT) Groups of 2024
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- April 1, 2025
- April 1, 2025
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- April 1, 2025
- April 1, 2025
