skip to Main Content

Tracing Ransomware: CipherTrace Helps McAfee Follow NetWalker Funds 

On August 3, cybersecurity firm McAfee released new researching showing the activities of NetWalker—ransomware that has collected more than 2,795 bitcoin by operating a ransomware-as-a-service (RaaS) model. Using CipherTrace Inspector, McAfee was able to trace through NetWalker ransomware transactions to follow the coins and uncover intelligence on the revenue-sharing scheme that helped proliferate the malware to make it as profitable as possible. 

A contributing factor to NetWalker’s success was the utilization of SegWit transactions. Moving to SegWit demonstrated an expansion of the enterprise, with the lower transaction costs contributing to the scalability of the operation. Further adding to their success, NetWalker operators shared tips over darknet forums demonstrating how to best spread the malware. 

Using CipherTrace Inspector, McAfee analysts traced BTC addresses extracted from screenshot of four completed NetWalker ransomware payments found on a darknet market RaaS listing. These screenshots only showed partial BTC addresses, but CipherTrace Inspector autocomplete was easily able to determine the full addresses, allowing McAfee analysts to further investigate the ransomware scheme. These addresses were: 

  • 3JHTYZhRmMcq7WCKRzFN98vWvAZk792w9J 
  • 39aovzbz5rGoQdKjDm6JiybkSu1uGdVJ2V 
  • 39NRnZtgACDVhhmc7RwmvH9ZDUKTNwwaeB 

Analysts were then able to determine that the ransomware actors consolidated funds from the four addresses listed above to the following two addresses under the NetWalker RaaS operators’ control: 

  • 1DgLhGeJfoUkkXdYNVf7SNckX5ST5taPVo 
  • bc1q98z5gcxan998h0uem0y4y4qtmm45xk4r2e5m9p 


RaaS Payments are Routinely Split 

An analysis of these two additional addresses revealed incoming transactions from multiple deposit addresses belonging to the ransomware scheme. Some of the incoming transactions were split between four different addresses, which is indicative of a RaaS model as ransom payments are split between RaaS operators and the affiliate who caused the infection. The splits found through blockchain analytics matched the RaaS fees NetWalker operators advertised on darknet forums, with roughly 20% going to the RaaS operators. 

Example of ransom payments split between RaaS operators and the affiliate who caused the infection

NetWalker RaaS payments are routinely split, as per the profit share agreement for the RaaS.  Splitting transactions this way shows a much more organized business model with more sophisticated BTC movements 


NetWalker Use of Cold Wallets 

Another example of increased sophistication in the NetWalker RaaS operation is what appears to be the use of a cold wallet.  One address identified as possible cold storage for the organization had just over 640 BTC sitting at it, with only one outgoing transaction.  The addresses that appear to be currently used as cold storage for these operators are also SegWit addresses. This transition into SegWit could indicate that they are either utilizing a new hardware wallet to store their BTC or just an indication of a desire for cheaper transactions to enable the operation to scale while keeping transactional cost low.  This also demonstrates an evolution in their maturity, showing that they are more willing to park funds and wait instead of eagerly looking to cash out. 

While the organization is holding large amounts of bitcoin in what appear to be cold wallets, some of the funds have already moved this year. One consolidation of funds worth 35.43 BTC was eventually deposited into CointoCarda Russian VASP that allows customers to convert cryptocurrency to a credit on their bank and/or debit card, as well swap crypto for crypto. Additionally, there has been recent movement of funds that were deposited into some global, well-known exchanges. 

Read McAfee’s analysis on the NetWalker Ransomware here: 


Why IMatters 

The development of Ransomware-as-a-service operations like NetWalker has become a lucrative business for threat actors.  Fears of foreign interference in the US presidential elections are growing, and federal officials warn that ransomware may be a tool used by adversaries“From the standpoint of confidence in the system, I think it is much easier to disrupt a network and prevent it from operating than it is to change votes,” Adam Hickey, a Justice Department deputy assistant attorney general, said in an interview. It is crucial to not only trace ransomware proceeds to find and stop the operators, but also to harden systems and educate the public on how these compromises occur in order to properly mitigate disruption. 

Back To Top