Cybersecurity Alert: Alpha Ransomware Mirrors NetWalker’s Tactics

The emergence of Alpha Ransomware in early 2023 caught the attention of the Threat Hunter Team from Symantec due to its striking technical and operational similarities to NetWalker, a prolific ransomware family dismantled by law enforcement in 2021. Analysis points to shared origins, raising concerns within the cybersecurity community.

The Threat Hunter Team’s meticulous analysis has unearthed striking parallels between Alpha and NetWalker. From the use of a PowerShell-based loader to the intricate execution flow of their payloads, the resemblance is more than superficial. It’s a shared blueprint for chaos. Both ransomwares exhibit an insidious precision in terminating processes and services, a mirrored list of resolved APIs, and an almost identical approach to self-deletion post-encryption. Even their demands for ransom through similarly structured payment portals reveal a lineage intertwined with secrecy and extortion.

Payment portals for NetWalker (left) and Alpha (right). Both contain the same message: “For enter, please use user code”.

Initially detected in February 2023, Alpha went mostly unnoticed until its operations grew dramatically in recent weeks, including the establishment of a data leak site. The ransomware exploits an arsenal of “living-off-the-land” tools like Taskkill, PsExec, Net.exe, and Reg.exe to infiltrate and paralyze networks.

“Alpha may be an attempt at reviving the old ransomware operation by one or more of the original NetWalker developers. Alternatively, the attackers behind Alpha may have acquired and modified the original NetWalker payload in order to launch their own ransomware operation,” the researcher wrote.

The emergence of Alpha Ransomware underscores a critical challenge in the realm of cybersecurity. It highlights the cyclical nature of cyber threats and the importance of relentless vigilance.