Netwalker Ransomware Gang Generates Over $25 Million in Ransom Payments in 5 Months

2020 has seen the Netwalker ransomware gang step up attacks on government organizations, healthcare providers, educational institutions, and private companies. In late July the FBI issued a Flash Alert warning about the increase in attacks. This week, McAfee has published data showing how successful those attacks have been. McAfee has been tracking payments made to the Bitcoin addresses known to be used by the threat group and $25 million has been paid by victims in the past 5 months alone.

The huge success of the operation has made Netwalker one of the biggest ransomware threats this year, with the operation now rivalling Sodinokibi (REvil) and Ryuk. Entities that have been attacked using Netwalker ransomware include University of California San Francisco, Toll Group, Michigan State University, Dussmann Group, Lorien Health Services, and Columbia College of Chicago.

Netwalker ransomware started life as a ransomware variant named Mailto, which emerged in August 2019. In late 2019, the ransomware was renamed Netwalker and was used in limited attacks. In 2020, the gang started advertising for affiliates to distribute the ransomware for a cut of the profits. The ransomware-as-a-service (RaaS) operation is not open to anyone willing to try to distribute the ransomware. The threat group stated on hacking fora that they were only interested in working with hackers who could gain access to the networks of large companies in targeted attacks, rather than using botnets and spamming techniques to distribute the ransomware by email. The group expressed a preference for hackers that already had access to those networks and the ability to exfiltrate data.

The recruitment process appears to have been a success, not only based on the ransoms generated, but the methods used in recent attacks. The gang took advantage of the COVID-19 pandemic and was distributing the ransomware via email using .vbs file attachments in March, whereas more recently the ransomware has been delivered by exploiting vulnerabilities in VPN solutions and enterprise software, networking equipment, RDP, and the user interface components of web applications.

As with other ransomware operations that deliver the ransomware manually, prior to encryption, data is exfiltrated from the victim and threats are issued to publish or sell the data. The use of a leak portal for publishing data is part of the success of the operation, giving victims an added incentive for paying the ransom.

Given the recent recruitment campaign and the number of recent attacks, it is probable that Netwalker will continue to be one of the most dangerous and prolific ransomware operations for some time to come.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of