Threat Research

Alpha Ransomware Emerges From NetWalker Ashes

Securonix

Alpha attacks have emerged from the NetWalker ashes, scaling up operations and launching a data leak site. The campaign heavily uses living-off-the-land tools and shows strong links to NetWalker, suggesting revived or repurposed ransomware activity. #NetWalker #AlphaRansomware

Keypoints

  • Alpha first appeared in February 2023 but has recently intensified, including a data leak site launch.
  • Attacks heavily rely on living-off-the-land tools such as Taskkill, PsExec, Net.exe, and Reg.exe.
  • NetWalker was an early, highly successful targeted ransomware operation; a jailed member allegedly earned over $27.6 million.
  • Strong similarities between Alpha and NetWalker suggest a link—either a revival by original developers or a modified NetWalker payload.
  • Protection guidance is available via Symantec’s Protection Bulletin for the latest Alpha defenses.
  • The article lists extensive Indicators of Compromise, including numerous PowerShell loader hashes and Alpha loader hashes.

MITRE Techniques

  • [T1059.003] Windows Command Shell – Taskkill is used to end one or more tasks or processes. Quote: “…Taskkill: Windows command-line tool that can be used to end one or more tasks or processes…”
  • [T1059.001] PowerShell – PowerShell loader used to load and execute payloads. Quote: “…PowerShell loader…”
  • [T1021.001] Remote Services – PsExec is used to move laterally on victim networks. Quote: “…the tool is primarily used by attackers to move lateral on victim networks.”
  • [T1112] Modify Registry – Reg.exe is used to edit the registry of local or remote computers. Quote: “…Reg.exe: Windows command-line tool that can be used to edit the registry of local or remote computers.”
  • [T1016.001] System Network Configuration Discovery – Net.exe is used to stop and start the IPv6 protocol, reflecting network configuration changes. Quote: “…Net.exe: Microsoft tool that can be used to stop and start the IPv6 protocol.”

Indicators of Compromise

  • [Hash] PowerShell loader – 46569bf23a2f00f6bac5de6101b8f771feb972d104633f84e13d9bc98b844520, 6462b8825e02cf55dc905dd42f0b4777dfd5aa4ff777e3e8fe71d57b7d9934e7, and 2 more hashes
  • [Hash] Alpha ransomware loader – e573d2fec8731580ab620430f55081ceb7153d0344f2094e28785950fb17f499, e68dd7f20cd31309479ece3f1c8578c9f93c0a7154dcf21abce30e75b25da96b, and 2 more hashes

Read more: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/alpha-netwalker-ransomware

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint