Crime doesn’t pay? Tell that to emerging Ransomware-as-a-Service crew NetWalker. They have taken home approximately $25 million in extorted funds between March 1 and late July, according to an in-depth investigation by security firm McAfee.
The company’s researchers tracked ransom payments to the NetWalker syndicate — the malware was initially known as Mailto, and was first detected in August 2019 — after identifying a series of Bitcoin wallets used by the cybercrime gang.
In a detailed analysis of the ransomware itself McAfee notes it has joined the “illustrious” trio of highly targeted ransomware crews Sodinokibi, Maze and Ryuk in terms of sophistication and reach, and has been openly advertising for “experienced affiliates that focus on compromising the complete networks of organizations”.
High profile targets of Netwalker include The University of California, which was stung for $1.14 million; the Australian transport and logistics company Toll Group, and the Illinois Champaign-Urbana Public-Health District website, which temporarily prevented health district employees from accessing their files.
“One forum message in particular caught our attention as it included screenshots of several partial bitcoin addresses and USD amounts”, McAfee said. “This was most likely done to showcase the financial success of the ransomware.”
Using Ciphertrace, a cryptocurrency tracking tool, they were able to find the full Bitcoin addresses: “In 30 March 2020 the first incoming transaction appears where the amount is split between 4 different bitcoin addresses,” their research report notes.
“A split like this is typically seen in Ransomware-as-a-Service, where the ransom payment is split between the RaaS operators and the affiliate who caused the infection. In this first transaction, the split is 80%, 10% and two 5% portions. This split matches the advertisement on the underground forum (80% – 20%).
“In the two addresses uncovered by tracing the transactions a total of 641 bitcoin is held on 27 July 2020” (worth circa $7 million), McAfee’s team noted, adding: “The total amount of extorted bitcoin that has been uncovered by tracing transactions to these NetWalker related addresses is 2795 BTC between 1 March 2020 and 27 July 2020”.
What are NetWalker’s Typical Initial Intrusion Techniques?
As mapped against the MITRE ATT&CK framework, NetWalker initial access is typical via a familiar trio of techniques: spear phishing attachments; exploiting public facing applications like Tomcat or WebLogic, or compromising exposed RDP endpoints.
CVE-2020-0796 (a Microsoft Server Message Block 3.1.1 vulnerability); CVE-2019-1458 (a bug in which Microsoft’s Win32k component fails to properly handle objects in memory); CVE-2017-0213 (elevation of privilege in Windows COM Aggregate Marshaler); and CVE-2015-1701 (another elevation of privilege vulnerability that exists when the Win32k.sys kernel-mode driver improperly handles objects in memory) have all also been seen being abused in the wild by NetWalker.
The ransomware appends a random extension to infected files and uses Salsa20 encryption. It also “uses some tricks to avoid detection, such as a new defence evasion technique, known as reflective DLL loading, to inject a DLL from memory”.
McAfee’s researchers also noted that has of March 12 the attackers have changed the contact method significantly, dropping email communication, with victims now required to make contact through the NetWalker Tor interface where, “after submitting their user key, they will then be redirected to a chat with NetWalker technical support”.
The Ransomware vamped up its service in recent months by moving away from legacy bitcoin addresses to Segwit addresses. Segregated Witness or Segwit is the process whereby the block size limit on a blockchain is increased by removing signature data from Bicoin transations, thereby freeing up capacity to add more transactions to the chain. This makes the paying process faster and cheaper. The report states:
“ The benefits of using the newer SegWit addresses include faster transaction time and lower transaction cost. The NetWalker advertisement on the underground forum mentions instant and fully automatic payments around the time of this observed change. This makes us believe the ransomware actors were professionalizing their operation just before expanding to the Ransomware-as-a-Service model”.
If targets do not comply with the ransom, Netwalker releases sensitive documents that they have fielded from within the breached network. Security researchers Sentinel Labs noted: “To date, stolen data belonging to twelve different NetWalker victims has been publicly posted… The attackers behind NetWalker campaigns are known to use common utilities, post-exploit toolkits and Living-off-the-Land (LOTL) tactics to explore a compromised environment and siphon off as much data as possible”.