Threat Actor Profile

Netwalker

Netwalker, also known as Mailto or Circus Spider, is a sophisticated ransomware-as-a-service (RaaS) operation that first appeared in August 2019. This financially motivated cybercrime group gained notoriety for its double extortion tactics, where they not only encrypt a victim's files but also exfiltrate sensitive data and threaten to leak it publicly unless a second ransom is paid.

Threat Actor Profile

Netwalker

Country of Origin

While the exact country of origin is not definitively known, evidence points toward a Russian-speaking group. The Netwalker affiliate program explicitly prohibited attacks against organizations in Russia and the Commonwealth of Independent States (CIS), a common rule among Russian cybercrime syndicates.

Members

Netwalker operated a RaaS model, recruiting skilled affiliates through advertisements on dark web forums. The core group, known as Circus Spider, provided the ransomware and infrastructure, while a network of verified affiliates carried out the attacks. This model allowed for widespread campaigns without a large, centralized team.

Leadership

The leadership structure of Netwalker remains largely unknown. One key affiliate, Sebastian Vachon-Desjardins, was arrested, but the core developers and leaders have not been publicly identified.

Fancy Bear TTPs

Tactics

Netwalker's primary goal was simple: make a boatload of money. They accomplished this through a highly effective RaaS model, focusing on "big game hunting"—targeting large organizations that could afford massive ransoms. Their main tactics involved initial access, data exfiltration, and double extortion to maximize pressure on victims.

Techniques

To get inside a network, Netwalker affiliates used several techniques. They often exploited unpatched software and weak credentials, particularly targeting vulnerabilities in VPN appliances like Pulse Secure VPN and web applications using Telerik UI. Once inside, they used tools like Cobalt Strike and PowerShell scripts to move laterally, escalate privileges, and avoid detection. To cover their tracks and prevent recovery, they deleted shadow volume copies using vssadmin or WMI commands.

Procedures

The attack chain typically started with a phishing email or by exploiting a public-facing application. A common method involved COVID-19-themed phishing campaigns that tricked users into opening malicious attachments. Once initial access was gained, the attackers deployed PowerShell-based malware that executed in memory. They also used process hollowing to inject their malicious payload into legitimate processes like explorer.exe, making it harder to spot. After exfiltrating data, the ransomware would encrypt files across the network, leaving behind a ransom note in each folder.

Want to Shut Down Threats Before They Start?

Schedule a Demo Today

Notable Cyberattacks

One of Netwalker’s most publicized attacks was against the University of California San Francisco (UCSF) in June 2020. The university, which was actively involved in COVID-19 research, was hit with ransomware that encrypted servers in its School of Medicine. After a negotiation, UCSF paid a ransom of $1.14 million to recover its data. Another major incident involved the Toll Group, a massive Australian logistics company, which was forced to shut down numerous systems in early 2020, disrupting its operations across the Asia-Pacific region.

Law Enforcement & Arrests

In January 2021, a coordinated international law enforcement operation took down Netwalker’s dark web infrastructure used for leaking stolen data. The U.S. Department of Justice, in cooperation with Bulgarian authorities, seized the servers. Around the same time, Canadian authorities arrested Sebastien Vachon-Desjardins, a Canadian national and one of Netwalker's most prolific affiliates. He was extradited to the U.S. and eventually sentenced to 20 years in prison in October 2022. The operation also resulted in the seizure of approximately $454,530 in cryptocurrency paid as ransoms. Talk about a takedown!

How to Defend Against Netwalker?

Patch Everything: Keep your software, especially VPNs and web applications, updated to fix vulnerabilities before attackers can exploit them.

Enable MFA: Implement multi-factor authentication on all critical accounts to make it harder for attackers to use stolen credentials.

Train Your Team: Educate users to recognize and report phishing attempts. A well-trained team is your first line of defense.

Backup Your Data: Maintain regular, offline, and immutable backups. If you get hit, you can restore your data without paying up.

Monitor Your Endpoints: Proactive monitoring is key. You need to see what’s happening on your endpoints to catch threats early.

The Huntress Managed Security Platform provides the endpoint visibility needed to detect and stop the techniques used by actors like Netwalker. With 24/7 monitoring from our human threat hunters, we can spot suspicious PowerShell activity, attempts to delete backups, and other malicious behaviors, stopping attacks before they lead to a full-blown ransomware incident.

Try Huntress for Free

Schedule a Demo

References

https://www.mimecast.com/content/netwalker-ransomware/

https://www.bleepingcomputer.com/news/security/netwalker-ransomware-earned-25-million-in-just-five-months/

https://www.cynet.com/attack-techniques-hands-on/netwalker-ransomware-report/

https://www.cyberscoop.com/crozer-keystone-cyber-attack-netwalker-ransomware/

https://www.bleepingcomputer.com/news/security/ransomware-attack-halts-argentinian-border-crossing-for-four-hours/

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free