NetWalker Ransomware Gang Hunts for Top-Notch Affiliates

2020-05-20 17:37

The NetWalker ransomware - the scourge behind one of the recent Toll Group attacks - has transitioned to a ransomware-as-a-service model, and its operators are placing a heavy emphasis on targeting and attracting technically advanced affiliates, according to researchers.

"NetWalker now claims a singular preference for network infiltration, which is novel to the Russian-speaking ransomware community," explained the researchers, who added that in the advertisements on underground forums for the RaaS offering, the NetWalker group explicitly says that it prefers affiliates "Who prioritize quality, not quantity" and stating that they have an interest "Only in experienced, Russian-speaking network intruders - not spammers - with a preference for immediate, consistent work."

One of the members of a Russian-speaking forum told the researchers that interested RaaS candidates must apply to the affiliate program, and are subjected to a review by NetWalker group members.

NetWalker is not the only group however to have such standards.

"As for the architecture of the ransomware itself, the representative has explained [to us] that 'the locker is located inside a [PowerShell] script,' which circumvents the need to upload the payload to an external network. NetWalker claims that this feature helps deal with antivirus products, including Windows Defender."

News URL

https://threatpost.com/netwalker-ransomware-gang-top-notch-affiliates/155946/

#ransomware