Ransomware-as-a-service (RaaS) group NetWalker has made $25 million in just a matter of months, according to new research from McAfee.
The ransomware works via an affiliate model, whereby operators build custom versions of the malware then distributors (affiliates) are invited to deploy it, receiving a cut of around 80% of the profits.
By monitoring Bitcoin addresses under the control of NetWalker actors, McAfee was able to spot 2795 BTC flowing to the attackers between March 1 and July 27, 2020.
“Even though we do not have complete visibility into the BTC flow before NetWalker started ramping up, one thing is certain, this quarter alone it has been highly successful at extorting organisations for large amounts of money,” the report noted.
“All this at a time when many sectors are struggling because people are sheltering in place and governments are trying to keep businesses from going bankrupt. NetWalker is making millions off the backs of legitimate companies.”
The success of the group appears to have come from the tactics it has deployed over the past few months.
Although first appearing in August 2019, NetWalker more recently adopted the RaaS model and began recruiting affiliates with strong technical expertise in targeted attacks and data theft of the sort used by Maze, REvil, Ryuk and other groups.
Advertising on the cybercrime underground, especially by a threat actor known as “Bugatti,” shares information on updates to the ransomware and helps to recruit new affiliates capable of compromising whole corporate networks, rather than end users, McAfee said.
Attacks typically start with spear-phishing emails, Tomcat and WebLogic server exploits, and by compromising RDP endpoints protected by weak passwords, it claimed.
As per several of its peers, the group will upload stolen data to a dedicated page and entry for each corporate victim if they refuse to pay the ransom.