This Ransomware Stole $25 Million in 5 Months

Illustration for article titled This Ransomware Stole $25 Million in 5 Months
Photo: AFP Contributor / Contributor (Getty Images)

A ransomware variant called NetWalker is doing surprisingly well, even in this economy. The malware, which takes computers hostage and asks for a Bitcoin ransom, raked in $25 million in the last five months, a solid haul for what amounts to a solid ransomware-as-a-service platform.


MacAfee explored the software in detail and found that business is (still) booming in the cryptojacking market.

“The total amount of extorted bitcoin that has been uncovered by tracing transactions to these NetWalker related addresses is 2795 BTC between 1 March 2020 and 27 July 2020. By using historic bitcoin to USD exchange rates, we estimate a total of 25 million USD was extorted with these NetWalker related transactions,” they write.

NetWalker is run by a group that has agreed not to target hospitals during the pandemic, making them a set of surprisingly charitable criminals.

Interestingly, the ransomware is getting some solid upgrades. In its original version, the so-called NetWalker (or Mailto) software depended on emailed messages to unlock the user’s machines. Now, the system uses a pasted “security code” that the user must enter into a Tor-protected website. Once the payment goes through, the ransomware stores the crypto in SegWit addresses for “faster transaction time and lower transaction cost.”

“The NetWalker advertisement on the underground forum mentions instant and fully automatic payments around the time of this observed change. This makes us believe the ransomware actors were professionalizing their operation,” wrote MacAfee. Once you pay the ransom, the Tor site sends the victims a decryptor app that then decrypts all of the ransomed files.

Illustration for article titled This Ransomware Stole $25 Million in 5 Months
Screenshot: McAfee

Many high-profile ransomware attacks have stolen millions from corporate victims this quarter, making it a banner year for ransomware purveyors.

John Biggs is a writer from Ohio who lives in Brooklyn. He likes books, watches, and his dog. He is the Editor-in-Chief of Gizmodo. Signal: +16468270591 Telegram: @johnbiggs



The immediate reaction from many would be “Never pay the ransom!”

And it sounds sensible enough. For even if you do, how could you possibly know that the malware isn’t still lurking around somewhere, and not to mention them knowing that since you’ve paid once, surely they could come for you again later?

Then you factor in how long it would take, for you to restore your infrastructure back to the way it was, prior to the disaster. You might think just rollback or perform a data restore on the encrypted data/database, by tape if necessary(shudder), but by more likely, just revert your stuff back to a prior snapshot or system state(you were taking regular snapshots or had them automated, right?).

Just rollback, indeed. That means losing all those changes/updates that were made, leaving a gap in the data. It might be customer data, it might be billing information, oh it could be all kinds of things. Then you start thinking which user accounts might have been compromised, and oh you enforce a mandatory password reset.

It’s totally gone, right? No funny attachments or malware sitting in someone’s inbox, right?’re running AV everywhere, from your mail server to your desktop machines, so how could it have snuck in?

Sleep well.