The Netwalker group disappeared from the radar back in 2021, but researchers noticed suspicious similarities while studying other software.
Experts have found disturbing links between the recent Alpha ransomware virus and the Netwalker criminal group, which was eliminated several years ago. What does this mean?
Netwalker operated from October 2019 to January 2021, providing its software to other attackers on the principle of "ransomware-as-a-service" (RaaS). After law enforcement agencies blocked the group's websites on the darknet, Netwalker operators stopped their illegal activities and disappeared from the radar.
The Alpha virus first appeared in February 2023, but at first acted secretly, without advertising itself on hacker forums and without conducting large-scale attacks. After a while, the attackers created a website where they began to upload stolen company data and demand a ransom for them.
Currently, the Alpha website has published information about 9 cyber attacks, and in 8 cases stolen information has already been posted. According to a report from Neterich on January 29, the virus has been improving gradually. In the latest version, it adds a random 8-digit alphanumeric extension to encrypted files.
Ransom demands now include instructions for contacting cybercriminals. The amounts, according to Neterich, range from $ 13,200 to $ 100,000, depending on the volume of revenue of the attacked organization.
Symantec linked the Alpha virus to Netwalker's criminal activities in a recent report. This connection can be traced in the tools and methods of cyber attacks used by the new group.
Key similarities:
Thus, researchers have a lot of reasons to believe that the developers of Netwalker and Alpha are closely related. Either Alpha is a rebranding of Netwalker, or their code is being used by a new group of cybercriminals. According to Symantec experts, someone could have illegally obtained the Netwalker code and adapted it for their own purposes.
Despite the fact that at the moment Alpha is not the main player in the market of ransomware viruses, analysts estimate the potential of this new cyber threat as very high and fast-growing.
Experts have found disturbing links between the recent Alpha ransomware virus and the Netwalker criminal group, which was eliminated several years ago. What does this mean?
Netwalker operated from October 2019 to January 2021, providing its software to other attackers on the principle of "ransomware-as-a-service" (RaaS). After law enforcement agencies blocked the group's websites on the darknet, Netwalker operators stopped their illegal activities and disappeared from the radar.
The Alpha virus first appeared in February 2023, but at first acted secretly, without advertising itself on hacker forums and without conducting large-scale attacks. After a while, the attackers created a website where they began to upload stolen company data and demand a ransom for them.
Currently, the Alpha website has published information about 9 cyber attacks, and in 8 cases stolen information has already been posted. According to a report from Neterich on January 29, the virus has been improving gradually. In the latest version, it adds a random 8-digit alphanumeric extension to encrypted files.
Ransom demands now include instructions for contacting cybercriminals. The amounts, according to Neterich, range from $ 13,200 to $ 100,000, depending on the volume of revenue of the attacked organization.
Symantec linked the Alpha virus to Netwalker's criminal activities in a recent report. This connection can be traced in the tools and methods of cyber attacks used by the new group.
Key similarities:
- Using similar PowerShell-based loaders for undetected virus delivery.
- Matching the structure and code fragments, especially in the functions of encrypting files, disabling processes and services, and calling system APIs.
- Similar configuration of rules for excluding files, folders, processes, and services from the encryption procedure.
- The malware is automatically deleted after encryption is completed using special temporary bat files.
- The payment pages contain an identical message about the need to enter a custom code.
- In addition, Alpha actively used built-in Windows tools in recent attacks, which is typical for many hacker groups.
Thus, researchers have a lot of reasons to believe that the developers of Netwalker and Alpha are closely related. Either Alpha is a rebranding of Netwalker, or their code is being used by a new group of cybercriminals. According to Symantec experts, someone could have illegally obtained the Netwalker code and adapted it for their own purposes.
Despite the fact that at the moment Alpha is not the main player in the market of ransomware viruses, analysts estimate the potential of this new cyber threat as very high and fast-growing.
