Skip to main content

Operator dossier

Netwalker is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 26 public victims claimed by this operator between January 31, 2020 and December 12, 2020. **Overview:** Netwalker is a financially motivated ransomware group that emerged in January 2020, rapidly establishing itself as one of the more prolific ransomware operations during the height of the COVID-19 pandemic. The group primarily targets organizations for financial gain through encryption and extortion tactics. **Origin & Affiliation:** Netwalker is believed to operate as a Ransomware-as-a-Service (RaaS) model with suspected Russian-speaking affiliates, though definitive attribution to a specific nation-state remains unconfirmed by law enforcement agencies. The group has operated independently without established links to other major ransomware families. **Attack Methodology:** Netwalker affiliates typically gained initial access through exposed Remote Desktop Protocol (RDP) services, phishing emails, and exploitation of unpatched vulnerabilities in public-facing applications. The group employed double extortion tactics, exfiltrating sensitive data before deploying their ransomware payload, and maintained a leak site to pressure victims into paying ransoms by threatening to publish stolen information. **Notable Campaigns:** The group notably targeted healthcare organizations during the COVID-19 pandemic, including attacks on hospitals and healthcare facilities, drawing significant attention from law enforcement and cybersecurity agencies. Netwalker was responsible for high-profile attacks across multiple critical infrastructure sectors, with CISA and FBI issuing specific advisories warning organizations about the group's activities. **Current Status:** Netwalker operations were significantly disrupted in January 2021 when international law enforcement actions led to the takedown of their infrastructure and the arrest of a key affiliate, effectively ending the group's active operations.

Most-affected countries

Recent disclosures by Netwalker

All 26 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for Netwalker

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

Netwalker

26 victims indexed · first seen 6 years ago · last activity 6 years ago

26
Victims indexed
#147 of 364 tracked operators
11m
Active period
Jan 2020 → Dec 2020
6
Countries hit
top United States · 13

At a glance

Status
inactive
First seen
6 years ago
Last activity
6 years ago
Onion sites
1 known endpoint
Primary sector
Healthcare and Public Health · 5 hits

About

**Overview:** Netwalker is a financially motivated ransomware group that emerged in January 2020, rapidly establishing itself as one of the more prolific ransomware operations during the height of the COVID-19 pandemic. The group primarily targets organizations for financial gain through encryption and extortion tactics. **Origin & Affiliation:** Netwalker is believed to operate as a Ransomware-as-a-Service (RaaS) model with suspected Russian-speaking affiliates, though definitive attribution to a specific nation-state remains unconfirmed by law enforcement agencies. The group has operated independently without established links to other major ransomware families. **Attack Methodology:** Netwalker affiliates typically gained initial access through exposed Remote Desktop Protocol (RDP) services, phishing emails, and exploitation of unpatched vulnerabilities in public-facing applications. The group employed double extortion tactics, exfiltrating sensitive data before deploying their ransomware payload, and maintained a leak site to pressure victims into paying ransoms by threatening to publish stolen information. **Notable Campaigns:** The group notably targeted healthcare organizations during the COVID-19 pandemic, including attacks on hospitals and healthcare facilities, drawing significant attention from law enforcement and cybersecurity agencies. Netwalker was responsible for high-profile attacks across multiple critical infrastructure sectors, with CISA and FBI issuing specific advisories warning organizations about the group's activities. **Current Status:** Netwalker operations were significantly disrupted in January 2021 when international law enforcement actions led to the takedown of their infrastructure and the arrest of a key affiliate, effectively ending the group's active operations.

References

65 links

External sources curated by the MISP threat-intel community.

Timeline

10 months
2020-01-01T00:00:00+00:00 · 12020-03-01T00:00:00+00:00 · 12020-04-01T00:00:00+00:00 · 12020-05-01T00:00:00+00:00 · 32020-06-01T00:00:00+00:00 · 32020-07-01T00:00:00+00:00 · 22020-08-01T00:00:00+00:00 · 62020-09-01T00:00:00+00:00 · 42020-10-01T00:00:00+00:00 · 32020-12-01T00:00:00+00:00 · 2
2020-01-01T00:00:00+00:002020-12-01T00:00:00+00:00

Top countries

🇺🇸 United States
13
🇨🇦 Canada
3
🇦🇺 Australia
2
🇦🇷 Argentina
1
🇵🇰 Pakistan
1
🇦🇹 Austria
1

Top sectors

Healthcare and Public Health
5
Information Technology
4
Critical Manufacturing
4
Energy
4
Education Facilities
3
Government Facilities
2
Commercial Facilities
2
Transportation Systems
2

MITRE ATT&CK

12 techniques · 8 tactics

Tactics

Initial AccessExecutionDefense EvasionDiscoveryLateral MovementCollectionExfiltrationImpact

Techniques

Detection · YARA rules

6 rules
  • netwalker_ransomware

    YARA rule from ATR/Trellix: ransomware/RANSOM_netwalker.yar

    source: ATR/Trellix

  • doesn

    YARA rule from ATR/Trellix: ransomware/RANSOM_netwalker.yar

    source: ATR/Trellix

  • netwalker_signed

    YARA rule from ATR/Trellix: ransomware/RANSOM_netwalker.yar

    source: ATR/Trellix

  • will

    YARA rule from ATR/Trellix: ransomware/RANSOM_netwalker.yar

    source: ATR/Trellix

  • Netwalker

    YARA rule from ATR/Trellix: ransomware/RANSOM_netwalker.yar

    source: ATR/Trellix

  • win_netwalker_reflective_dll_injection_decoded

    YARA rule from ATR/Trellix: ransomware/RANSOM_netwalker.yar

    source: ATR/Trellix

Recent victims

Loading…

Onion infrastructure

1 known
  • http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Source

Updated 6 years ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Netwalker posts a victim.

Add Netwalker to your watchlist — Pro pings you within 5 minutes of any new Netwalker leak-site post, Telegram callout, or affiliate-rebrand inference.