Netwalker Ransomware

The Netwalker ransomware, also known as Mailto was detected in August 2019, in March, a new variant of the Netwalker ransomware has been identified, and the sources said that this new variant of the Netwalker had earned $25 million in just five months. 

Not only this, but the Netwalker operator has collected nearly 2,795 Bitcoin (BTC), and the way they have obtained the ransomware, it defines that NetWalker is a “ransomware-as-a-service” malware.

According to the McAfee reports, the gang could make more money through this ransomware as they had made an enormous target to accomplish. The Netwalker was mostly targetting and dragging a more comprehensive range of technically exceptional and active criminal associates.

Netwalker Ransomware

This ransomware is a Ransomware-as-a-Service (RaaS) operation that has initially started in late 2019. Where members are assigned to share the ransomware and contaminate victims in return for a 60-70% decrease of ransom amounts. 

The Netwalker gets access to the organization system networks very quickly without any prior notice, and slowly, gain acess to the whole system.

Netwalker directly evades the workstation of the servers and steals all the unencrypted files that are later utilized as leverage to get victims to pay. After getting the full control of the domain, they eventually extend the ransomware to encrypt all the devices of the network.

Ransom notes

Ransom Note ( pre-march 2020)

Netwalker Ransomware

The initial ransom of Netwalker was started in August 2019; at that time, the ransom note was designated that how to communicate with the adversary instantly using unknown email account services with random names.

Ransom Note ( post-march 2020)

Netwalker Ransomware

The new variant of Netwalkier was detected on 12 March 2020, as from the above screenshot you can see the Ransom note, it shows that the threat actors have changed and modified their methods.

As now they are not using Email communication; instead, they directly contact the user with the NetWalker Tor interface. In this, the user has to submit their users key; once they did with the submitting process, now they can directly chat with NetWalker technical assistance.

Netwalker Ransomware


After paying the ransom that has been demanded by the threat actors, the user goes by some technical support. This technical support helps the user to download the decryptor to clean up their surroundings. 

The download is done straight from the NetWalker Tor site, where the payment page turns to a download sheet confirming that the payment was executed and successfully received. The decrypt files were presented in a zip archive; once the user is done with the decryption process, it automatically clears all the data and ransom information.

Amounts Wrenched

Some transactions that are split; the most significant amount that is 80-90% of the ransom is probably assigned to the member that created and performed the operation. In this ransom, the researchers saw a total of 1723 BTC being conveyed to members who had executed this operation.

The total amount of bitcoin extracted this way between 1 March 2020 and 27 July 2020 is 677 BTC. Moreover, the amount collected from dwelling transactions following the Ransomware-as-a-Service scheme more than 188 bitcoins were raised by these addresses between 1 March 2020 and 27 July 2020.

By utilizing historical bitcoin to USD exchange rates, the experts have estimated a total of 25 million USD was extracted with these NetWalker associated transactions. But, the researchers are still investigating the whole matter. 

Netwalker is a colossal game hunter that is responsible for numerous attacks, and it attacks the leading public organizations as well as private sector companies.

Users are advised to read the Anti-ransomware checklist and Ransomware Attack Response Checklist

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read:

Operator Behind The Most Infamous and Deadliest GandCrab Ransomware Arrested in Belarus

Try2Cry – A .NET Ransomware Attack Windows Users and Lock The Files via USB Flash Drive

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.