Cybersecurity firm McAfee released a study showing the activities of NetWalker, a ransomware first known as Mailto that was initially discovered in August 2019.

According to the report, the operators of NetWalker have collected over $25 million from ransom payments since March 2020.

From March 1 to July 27, the group collected around 2,795 Bitcoin (BTC), purportedly making it one of the most profitable types of ransomware for cybercriminals.

According to the report, the Bitcoin transactions received by the gang — where the amount is split among several different addresses — reflects that NetWalker is a "ransomware-as-a-service" malware.

Such a maneuver implies that it has generated such a huge amount of money thanks to the affiliate revenue sharing it offers to other operators, McAfee states.

Strengthening its capabilities

McAfee notes that NetWalker operators have moved away from using legacy Bitcoin addresses to SegWit addresses, due to its faster transaction times and lower costs, suggesting a sophistication in their modus operandi after becoming a ransomware-as-a-service model.

On March 20, at least two darknet forums saw posts related to the NetWalker actors offering the ransomware with a revenue-sharing scheme to help spread the malware and make it much as profitable as possible. 

Speaking to Cointelegraph, Brett Callow, threat analyst at malware lab Emsisoft, said:

"NetWalker is a big game hunter and responsible for numerous attacks on larger public sector organizations as well as private sector companies. Working out the amount ransomware groups make is exceptionally difficult and, as McAfee states, the figure of $25 million is almost certainly an underestimate. Globally, companies paid more than $25 billion in ransom demands in 2019."

The study adds that most of the NetWalker's targets were based in western European countries and in the United States. The group had previously announced that they won’t target hospitals due to the COVID-19 pandemic, although there have been reports to the contrary.

Crozer-Keystone Health System suffered a ransomware attack by the NetWalker ransomware on June 19. The attackers started to auction the system’s stolen data through its darknet website.