We talk a lot about ransomware on the blog. It’s one of the biggest threats to an organization’s productivity, data, and reputation. Today, we are going to talk about NetWalker, a leader and innovator in the business of ransomware.

What is NetWalker?

NetWalker is a business. It’s ransomware-as-a-service, meaning NetWalker provides ransomware to hacker affiliates. These hacker affiliates are something akin to independent contractors. They take NetWalker’s ransomware code and deploy it to networks they’ve hacked. When the ransom is collected, a large portion of the “earnings” goes to NetWalker. It’s a mutually beneficial relationship between criminals: NetWalker has proven ransomware code and hackers have the expertise in hacking networks. NetWalker operates like a regular company in terms of recruiting–they post on hacking forums and entice potential affiliates with screenshots of past successful attacks and high ransom payments.

As a part of NetWalker’s business model, the hackers will steal data, in addition to encrypting it, once hacked in to their victim’s network. They will then threaten the victim with a leak of this data if they don’t pay the ransom. NetWalker has even created an automated data leak site, which includes a countdown clock to a pre-scheduled data leak meant to pressure the victim.

NetWalker’s strategy has been successful. They made $25 million dollars in the past five months. At least three U.S. universities were hit by NetWalker. The University of San Francisco paid a $1.14M ransom to NetWalker after their School of Medicine, which is involved in COVID-19 related research, was hacked. The University of Michigan chose not to pay, and NetWalker made good on their threat and leaked their stolen data. The Columbia College Chicago has remained quiet on their position, but their name was taken off the leak site, indicating that they are in negotiations with NetWalker on a ransom.

When Organizations Pay the Ransom

While the FBI recommends that organizations do not pay ransom, the decision is ultimately up to the victimized entity. Often, the cost of not paying and being forced to rebuild their systems and files can be far greater than the sum of the ransom. Many companies even have cybersecurity insurance that will help cover the ransom payment. Additionally, with the threat of releasing sensitive data, it’s not as simple as using backups or hiring a company to rebuild systems. In fact, it’s predicted that this tactic will be deployed more frequently as it raises the likelihood that victims will pay up.

The flip side is that, like any business, NetWalker reinvests profits into their company. It was past ransom payments that funded the infrastructure needed to recruit hacker affiliates and pay for their leak site. It ends up becoming a vicious cycle: NetWalker builds a better organization and a more successful service. This leads to widespread attacks and more entities paying ransoms.

When faced with ransomware, organizations have a difficult decision to make. There is no perfect solution. In the end, it comes back to protecting your organization as best you can and trying to avoid ransomware in the first place. That means implementing a combination of technological and training solutions and spreading awareness throughout the organization.