24/7 Service, Same Day Diagnostics

Our Latest Tweets

Feds Disrupt NetWalker Ransomware Operation


The Justice Department this week announced the disruption of a major ransomware-as-a-service operation active since 2019 and known as NetWalker. In partnership with Bulgarian authorities, U.S. officials indicted a Canadian national, seized nearly half a million dollars worth of cryptocurrency, and shut down a dark web communications site.

“We are striking back against the growing threat of ransomware not only by bringing criminal charges against the responsible actors, but also disrupting criminal online infrastructure and, wherever possible, recovering ransom payments extorted from victims,” said Nicholas McQuaid, an acting assistant attorney general in the Justice Department’s Criminal Division.

NetWalker has been an active ransomware threat actor in recent years. Its targets have included private companies, hospitals, law enforcement, emergency services, and educational institutions. The Justice Department noted that recent attacks have specifically targeted the healthcare sector to take advantage of the crisis created by the COVID-19 pandemic.

How NetWalker Works

NetWalker ransomware targets Windows users, and encrypts and exfiltrates all data to which it gains access, according to a profile of the attackers published last year. When ransom is paid, victims receive an encryption key. But NetWalker also uses a secondary extortion scheme. Partial data is leaked on the dark web as proof of the breach. Victims must then send additional ransom to avoid a full data dump.

The report identified the group behind the NetWalker ransomware as a criminal entity known as Circus Spider. In early 2020, NetWalker began operating on a ransomware-as-a-service model. Like software that operates on a subscription basis, the producers of NetWalker began licensing the code to affiliates for use in their own attacks.

The ransomware-as-a-service model holds benefits for both producers and affiliates. The producers minimize their risk by profiting on attacks carried out by others. And the affiliates don’t require any coding experience to deploy the ransomware effectively. Attacks can be carried quickly and efficiently.

An Effective Cybercrime Model

Chainalysis, a blockchain analysis group that assisted the Justice Department’s recent action against NetWalker, said in a report that NetWalker ransoms had topped $46 million since it was first deployed in 2019. It added, however, that the use of affiliates has increased ransomware attacks and made it more difficult to fully quantify the financial impact.

NetWalker has been responsible for at least 305 attacks across 27 countries. Its targets have included numerous healthcare providers, including Lorien Health Services, Champaign-Urbana Public Health District, and Crozer-Keystone Health System. Attackers have also targeted universities. Michigan State University was breached in June 2020. That same month, the University of California San Francisco announced that it had paid $1.4 million in ransom to restore access to IT systems in its School of Medicine.

A Step Closer to Accountability

Ransomware remains a growing and costly threat to public, private, and government sectors. Attackers rarely face legal consequences. Even when cybercrime infrastructure gets dismantled, as was the case with Bulgarian authorities disabling a dark web NetWalker communications portal, it often emerges elsewhere.

A security analyst recently noted, however, that the seizure of assets by the Justice Department was a step in the right direction. Those assets included decryption keys that might help restore access to locked files for current victims of NetWalker. More often than not, victims are left with a difficult choice of paying a ransom or dealing with the aftermath themselves.

A Good Data Protection and Recovery Plan Can Help

Ransomware attacks have evolved in frequency and complexity. Protecting yourself can seem daunting, particularly when well-funded and well-protected corporate or government entities continue to fall victim to these crippling attacks. But it’s important to remember that there are things you can do.

Follow basic digital hygiene best practices. Use solid antivirus protection software and avoid opening email attachments that are not from verifiably trusted sources. Never give out personal information unless you are certain about the trustworthiness of the recipient.

Data loss can happen in any number of ways. Have a plan in place before disaster strikes. Your first call can be the most important when your data is at stake. Secure Data Recovery Services has helped thousands of customers successfully navigate every kind of data loss scenario. We have the most industry-specific certifications, and we’re here 24/7 to help.

Call us at 1-800-388-1266 to open a case. Click here to see how the process works. We have more than 250 partner locations and three Class 10 ISO 4 cleanrooms across North America. We’ll cover the cost for inbound media shipping to one of our labs. We also offer a free diagnostic analysis and our “no data, no recovery fee” guarantee.

Request Help
Call for Immediate Assistance
24 Hour Service Expert Hotline
Alternatively, you can also fill out
a request help form online
Submit Help Request
Article Search
Secured & Certified


We are