According to research by Advanced Intelligence, LLC, the Netwalker ransomware group is shifting focus away from infecting targets through spam. Instead, the group has begun to adopt a Ransomware-as-a-Service (RaaS) model targeting larger networks with exclusive affiliates for splitting up the work. Forum posts by the group have indicated that they are looking for specialists in network intrusions, privilege escalation and network reconnaissance to join their affiliate network. To sweeten the deal, the group is even offering up to 80% of payments to the affiliates, leaving 20% for itself. This deal is likely to be seen as a very attractive one compared to the 40/60 or 30/70 splits offered by other RaaS operators. To go even further, the group will allow 84% if the previous week’s earnings go beyond $300K. NetWalker has also started exfiltrating data from victims to post on its blog, continuing the worrying trend of extorting ransomware victims for even more money.
Although the group states in their requirements for affiliates that all victims must receive their files back after paying the ransom, Binary Defense does not recommend paying it if infected by any ransomware strain. To ensure no data is lost during a ransomware infection, follow the 3-2-1 method of backing up data. Keep three copies of the data on two separate devices with one of the devices stored off-site. Organizations should prioritize monitoring and detection of intrusions to avoid the downtime and cost of recovery from ransomware, even if backups are available. An internal or managed security service Security Operations Center with excellent visibility using Endpoint Detection and Response (EDR) and network monitoring tools is in the best position to detect and stop intrusions. Managed security services such as the Binary Defense Security Operations Center (SOC) provide 24/7 monitoring to quickly detect, contain and alert security teams to threats like this before they spread too far.