NetWalker ransomware joins the groups of bad actors leaking data as part of their ransomware attack.

The SpearTip Security Operations Center is currently tracking NetWalker ransomware actors that have engaged in similar activities as Maze, Dopplepaymer and Clop. All of these adversary groups are actively stealing organizations’ data, known as data exfiltration, and demanding a ransom for extortion purposes.

NetWalkers’ latest capability, based on our Security Operations Center intelligence, is the ability to auto-publish victim data from cyber intrusions. In previous cases of Maze and Doppelpaymer, this was a much more manual pull of data prior to the encryption in most cases.

This type of cyberattack is quickly becoming the norm. It is a way for the cybercriminals to blackmail the victim into paying the ransom. The typical attack lifecycle consists of the original compromise (typically through an open port such as RDP on the firewall or a firewall vulnerability such as the recent Sophos vulnerability) and in some cases COVID-19 related phishing emails followed by privilege escalation to gain administrator privilege on a machine, then the automated pulling of specific data from both file shares and end user computers, and finally the encryption process once the pulled data is safely in the attackers hand.

Having a qualified forensic team validate if anything was taken from the environment during a NetWalker attack, along with the potential of data being stolen, regardless of paying or not, raises multiple risks not previously associated with NetWalker.

According to the Twitter account, MalwareHunterTeam, NetWalker has their own blog, which displays companies’ name, bio, password, and a link to its secret data.

From what our Security Operations Center engineers have seen, NetWalker has not been known for exfiltrating data, but based on our elite threat intelligence investigation in our 24/7 SOC, this change in dynamics from a relatively new variant leads our team to believe this type of extortion is not going away. To learn more about what we have talked about recently, read our blog on the shift from encryption to extortion.  

For more information on how to prepare for an event like this, visit or email [email protected] to speak with a cybersecurity professional.

24/7 Breach Response: 833.997.7327