Netwalker

**Overview:** Netwalker is a financially motivated ransomware group that emerged in January 2020, rapidly establishing itself as one of the more prolific ransomware operations during the height of the COVID-19 pandemic. The group primarily targets organizations for financial gain through encryption and extortion tactics. **Origin & Affiliation:** Netwalker is believed to operate as a Ransomware-as-a-Service (RaaS) model with suspected Russian-speaking affiliates, though definitive attribution to a specific nation-state remains unconfirmed by law enforcement agencies. The group has operated independently without established links to other major ransomware families. **Attack Methodology:** Netwalker affiliates typically gained initial access through exposed Remote Desktop Protocol (RDP) services, phishing emails, and exploitation of unpatched vulnerabilities in public-facing applications. The group employed double extortion tactics, exfiltrating sensitive data before deploying their ransomware payload, and maintained a leak site to pressure victims into paying ransoms by threatening to publish stolen information. **Notable Campaigns:** The group notably targeted healthcare organizations during the COVID-19 pandemic, including attacks on hospitals and healthcare facilities, drawing significant attention from law enforcement and cybersecurity agencies. Netwalker was responsible for high-profile attacks across multiple critical infrastructure sectors, with CISA and FBI issuing specific advisories warning organizations about the group's activities. **Current Status:** Netwalker operations were significantly disrupted in January 2021 when international law enforcement actions led to the takedown of their infrastructure and the arrest of a key affiliate, effectively ending the group's active operations.