Security researchers have identified significant overlaps between the Alpha ransomware and the now-defunct Netwalker ransomware operation, shedding light on potential connections between the two. While Netwalker operated as a prominent ransomware-as-a-service platform until law enforcement intervention in January 2021, Alpha emerged in February 2023 with a more clandestine approach, avoiding promotion on hacker forums and keeping a low profile. However, recent developments indicate a shift in Alpha’s strategy, with the group launching a data leak site to list victims and publish files stolen from breached networks.
Symantec’s threat analysts have published a report linking Alpha to Netwalker based on shared tools and operational techniques observed in attacks. Notable similarities include the use of a similar PowerShell-based loader for payload delivery, significant code overlaps in the ransomware payload, and similar configurations regarding skipped files, folders, and processes to terminate. Additionally, both ransomware variants employ a temporary batch file for self-deletion after completing the encryption process, suggesting a strong connection between their developers.
Recent Alpha attacks have demonstrated a growing sophistication, with the ransomware now appending random 8-character alphanumeric extensions to encrypted files and including instructions for victims to contact the threat actor via a messaging service in ransom notes. While the reported ransom demands vary, ranging from 0.272 BTC to up to $100,000 depending on the victim’s business size, the utilization of living-off-the-land tools for evasion further underscores the evolving nature of the threat posed by Alpha.
Despite not yet establishing a significant presence in the ransomware landscape, Alpha’s emergence as an emerging threat highlights the need for organizations to remain vigilant. Whether Alpha represents a revival of the Netwalker operation under a new guise or the reuse of its code by a different threat actor remains uncertain. Nonetheless, the observed similarities between the two ransomware variants emphasize the importance of proactive cybersecurity measures and threat intelligence gathering to mitigate potential risks.Reference:
