Stories about computer security tend to go viral when they bridge the vast divide between geeks and luddites, and this week’s news about a hacker who tried to poison a Florida town’s water supply was understandably front-page material. But for security nerds who’ve been warning about this sort of thing for ages, the most surprising aspect of the incident seems to be that we learned about it at all.

Spend a few minutes searching Twitter, Reddit or any number of other social media sites and you’ll find countless examples of researchers posting proof of being able to access so-called “human-machine interfaces” — basically web pages designed to interact remotely with various complex systems, such as those that monitor and/or control things like power, water, sewage and manufacturing plants.

And yet, there have been precious few known incidents of malicious hackers abusing this access to disrupt these complex systems. That is, until this past Monday, when Florida county sheriff Bob Gualtieri held a remarkably clear-headed and fact-filled news conference about an attempt to poison the water supply of Oldsmar, a town of around 15,000 not far from Tampa.

Gualtieri told the media that someone (they don’t know who yet) remotely accessed a computer for the city’s water treatment system (using Teamviewer) and briefly increased the amount of sodium hydroxide (a.k.a. lye used to control acidity in the water) to 100 times the normal level.

“The city’s water supply was not affected,” The Tampa Bay Times reported. “A supervisor working remotely saw the concentration being changed on his computer screen and immediately reverted it, Gualtieri said. City officials on Monday emphasized that several other safeguards are in place to prevent contaminated water from entering the water supply and said they’ve disabled the remote-access system used in the attack.”

In short, a likely inexperienced intruder somehow learned the credentials needed to remotely access Oldsmar’s water system, did little to hide his activity, and then tried to change settings by such a wide margin that the alterations would be hard to overlook.

“The system wasn’t capable of doing what the attacker wanted,” said Joe Weiss, managing partner at Applied Control Solutions, a consultancy for the control systems industry. “The system isn’t capable of going up by a factor of 100 because there are certain physics problems involved there. Also, the changes he tried to make wouldn’t happen instantaneously. The operators would have had plenty of time to do something about it.”

Weiss was just one of a half-dozen experts steeped in the cybersecurity aspects of industrial control systems that KrebsOnSecurity spoke with this week. While all of those interviewed echoed Weiss’s conclusion, most also said they were concerned about the prospects of a more advanced adversary.

Here are some of the sobering takeaways from those interviews:

• There are approximately 54,000 distinct drinking water systems in the United States.
• The vast majority of those systems serve fewer than 50,000 residents, with many serving just a few hundred or thousand.
• Virtually all of them rely on some type of remote access to monitor and/or administer these facilities.
• Many of these facilities are unattended, underfunded, and do not have someone watching the IT operations 24/7.
• Many facilities have not separated operational technology (the bits that control the switches and levers) from safety systems that might detect and alert on intrusions or potentially dangerous changes.

So, given how easy it is to search the web for and find ways to remotely interact with these HMI systems, why aren’t there more incidents like the one in Oldsmar making the news? One reason may be that these facilities don’t have to disclose such events when they do happen.

NO NEWS IS GOOD NEWS?

The only federal law that applies to the cybersecurity of water treatment facilities in the United States is America’s Water Infrastructure Act of 2018, which requires water systems serving more than 3,300 people “to develop or update risk assessments and emergency response plans.”

There is nothing in the law that requires such facilities to report cybersecurity incidents, such as the one that happened in Oldsmar this past weekend.

“It’s a difficult thing to get organizations to report cybersecurity incidents,” said Michael Arceneaux, managing director of the Water ISAC, an industry group that tries to facilitate information sharing and the adoption of best practices among utilities in the water sector. The Water ISAC’s 450 members serve roughly 200 million Americans, but its membership comprises less than one percent of the overall water utility industry.

“Some utilities are afraid that if their vulnerabilities are shared the hackers will have some inside knowledge on how to hack them,” Arceneaux said. “Utilities are rather hesitant to put that information in a public domain or have it in a database that could become public.”

Weiss said the federal agencies are equally reluctant to discuss such incidents.

“The only reason we knew about this incident in Florida was that the sheriff decided to hold a news conference,” Weiss said. “The FBI, Department of Homeland Security, none of them want to talk about this stuff publicly. Information sharing is broken.”

By way of example, Weiss said that not long ago he was contacted by a federal public defender representing a client who’d been convicted of hacking into a drinking water system. The attorney declined to share his client’s name, or divulge many details about the case. But he wanted to know if Weiss would be willing to serve as an expert witness who could help make the actions of a client sound less scary to a judge at sentencing time.

“He was defending this person who’d hacked into a drinking water system and had gotten all the way to the pumps and control systems,” Weiss recalled. “He said his client had only been in the system for about an hour, and he wanted to know how much damage could his client really could have done in that short a time. He was trying to get a more lenient sentence for the guy.”

Weiss said he’s tried to get more information about the defendant, but suspects the details of the case have been sealed.

Andrew Hildick-Smith is a consultant who served nearly 20 years managing remote access systems for the Massachusetts Water Resources Authority. Hildick-Smith said his experience working with numerous smaller water utilities has driven home the reality that most are severely under-staffed and underfunded.

“A decent portion of small water utilities depend on their community or town’s IT person to help them out with stuff,” he said. “When you’re running a water utility, there are so many things to take care of to keep it all running that there isn’t really enough time to improve what you have. That can spill over into the remote access side, and they may not have a IT person who can look at whether there’s a better way to do things, such as securing remote access and setting up things like two-factor authentication.”

Hildick-Smith said most of the cybersecurity incidents that he’s aware of involving water facilities fall into two categories. The most common are compromises where the systems affected were collateral damage from more opportunistic intrusions.

“There’ve been a bunch of times where water systems have had their control system breached, but it’s most often just sort of by chance, meaning whoever was doing it used the computer for setting up financial transactions, or it was a computer of convenience,” Hildick-Smith siad. “But attacks that involved the step of actually manipulating things is pretty short list.”

The other, increasingly common reason, he said, is of course ransomware attacks on the business side of water utilities.

“Separate from the sort of folks who wander into a SCADA system by mistake on the water side are a bunch of ransomware attacks against the business side of the water systems,” he said. “But even then you generally don’t get to hear the details of the attack.”

Hildick-Smith recalled a recent incident at a fairly large water utility that got hit with the Egregor ransomware strain.

“Things worked out internally for them, and they didn’t need to talk to the outside world or the press about it,” he said. “They made contact with the Water ISAC and the FBI, but it certainly didn’t become a press event, and any lessons they learned haven’t been able to be shared with folks.”

AN INTERNATIONAL CHALLENGE

The situation is no different in Europe and elsewhere, says Marcin Dudek, a control systems security researcher at CERT Polska, the computer emergency response team which handles cyber incident reporting in Poland.

Marcin said if water facilities have not been a major target of profit-minded criminal hackers, it is probably because most of these organizations have very little worth stealing and usually no resources for paying extortionists.

“The access part is quite easy,” he said. “There’s no business case for hacking these types of systems. Quite rarely do they have a proper VPN [virtual private network] for secure remote connection. I think it’s because there is not enough awareness of the problems of cybersecurity, but also because they are not financed enough. This goes not only for the US. It’s very similar here in Poland and different countries as well.”

Many security professionals have sounded off on social media saying public utilities have no business relying on remote access tools like Teamviewer, which by default allows complete control over the host system and is guarded by a simple password.

But Marcin says Teamviewer would actually be an improvement over the types of remote access systems he commonly finds in his own research, which involves HMI systems designed to be used via a publicly-facing website.

“I’ve seen a lot of cases where the HMI was directly available from a web page, where you just log in and are then able to change some parameters,” Marcin said. “This is particularly bad because web pages can have vulnerabilities, and those vulnerabilities can give the attacker full access to the panel.”

According to Marcin, utilities typically have multiple safety systems, and in an ideal environment those are separated from control systems so that a compromise of one will not cascade into the other.

“In reality, it’s not that easy to introduce toxins into the water treatment so that people will get sick, it’s not as easy as some people say,” he said. Still, he worries about more advanced attackers, such as those responsible for multiple incidents last year in which attackers gained access to some of Israel’s water treatment systems and tried to alter water chlorine levels before being detected and stopped.

“Remote access is something we cannot avoid today,” Marcin said. “Most installations are unmanned. If it is a very small water or sewage treatment plant, there will be no people inside and they just login whenever they need to change something.”

SELF EVALUTION TIME

Many smaller water treatment systems may soon be reevaluating their approach to securing remote access. Or at least that’s the hope of the Water Infrastructure Act of 2018, which gives utilities serving fewer than 50,000 residents until the end of June 2021 to complete a cybersecurity risk and resiliency assessment.

“The vast majority of these utilities have yet to really even think about where they stand in terms of cybersecurity,” said Hildick-Smith.

The only problem with this process is there aren’t any consequences for utilities that fail to complete their assessments by that deadline.

Hildick-Smith said while water systems are required to periodically report data about water quality to the U.S. Environmental Protection Agency (EPA), the agency has no real authority to enforce the cybersecurity assessments.

“The EPA has made some kind of vague threats, but they have no enforcement ability here,” he said. “Most water systems are going to wait until close the deadline, and then hire someone to do it for them. Others will probably just self-certify, raise their hands and say, ‘Yeah, we’re good.’”

Cyber cops in Ukraine carried out an arrest and several raids last week in connection with the author of a U-Admin, a software package used to administer what’s being called “one of the world’s largest phishing services.” The operation was carried out in coordination with the FBI and authorities in Australia, which was particularly hard hit by phishing scams perpetrated by U-Admin customers.

The Ukrainian attorney general’s office said it worked with the nation’s police force to identify a 39-year-old man from the Ternopil region who developed a phishing package and special administrative panel for the product.

“According to the analysis of foreign law enforcement agencies, more than 50% of all phishing attacks in 2019 in Australia were carried out thanks to the development of the Ternopil hacker,” the attorney general’s office said, noting that investigators had identified hundreds of U-Admin customers.

Brad Marden, superintendent of cybercrime operations for the Australian Federal Police (AFP), said their investigation into who was behind U-Admin began in late 2018, after Australian citizens began getting deluged with phishing attacks via mobile text messages that leveraged the software.

“It was rampant,” Marden said, noting that the AFP identified the suspect and referred the case to the Ukrainians for prosecution. “At one stage in 2019 we had a couple of hundred SMS phishing campaigns tied to just this particular actor. Pretty much every Australian received a half dozen of these phishing attempts.”

U-Admin, a.k.a. “Universal Admin,” is crimeware platform that first surfaced in 2016. U-Admin was sold by an individual who used the hacker handle “Kaktys” on multiple cybercrime forums.

According to this comprehensive breakdown of the phishing toolkit, the U-Admin control panel isn’t sold on its own, but rather it is included when customers contact the developer and purchase a set of phishing pages designed to mimic a specific brand — such as a bank website or social media platform.

Cybersecurity threat intelligence firm Intel 471 describes U-Admin as an information stealing framework that uses several plug-ins in one location to help users pilfer victim credentials more efficiently. Those plug-ins include a phishing page generator, a victim tracker, and even a component to help manage money mules (for automatic transfers from victim accounts to people who were hired in advance to receive and launder stolen funds).

Perhaps the biggest selling point for U-Admin is a module that helps phishers intercept multi-factor authentication codes. This core functionality is what’s known as a “web inject,” because it allows phishers to dynamically interact with victims in real-time by injecting content into the phishing page that prompts the victim to enter additional information. The video below, produced by the U-Admin developer, shows a few examples (click to enlarge).

There are multiple recent reports that U-Admin has been used in conjunction with malware — particularly Qakbot (a.k.a. Qbot) — to harvest one-time codes needed for multi-factor authentication.

“Paired with [U-Admin’s 2FA harvesting functionality], a threat actor can remotely connect to the Qakbot-infected device, enter the stolen credentials plus the 2FA token, and begin initiating transactions,” explains this Nov. 2020 blog post on an ongoing Qakbot campaign that was first documented three months earlier by Check Point Research.

In the days following the Ukrainian law enforcement action, several U-Admin customers on the forums where Kaktys was most active began discussing whether the product was still safe to use following the administrator’s arrest.

The AFP’s Marden hinted that the suspicions raised by U-Admin’s customer base might be warranted.

“I wouldn’t be unhappy with the crooks continuing to use that piece of kit, without saying anything more on that front,” Marden said.

While Kaktys’s customers may be primarily concerned about the risks of using a product supported by a guy who just got busted, perhaps they should be more worried about other crooks [or perhaps the victim banks themselves] moving in on their turf: It appears the U-Admin package being sold in the underground has long included a weakness that could allow anyone to view or alter data that was phished with the help of this kit.

The security flaw was briefly alluded to in a 2018 writeup on U-Admin by the SANS Internet Storm Center.

“Looking at the professionality of the code, the layout and the functionality I’m giving this control panel 3 out of 5 stars,” joked SANS guest author Remco Verhoef. “We wanted to give them 4 stars, but we gave one star less because of an SQL injection vulnerability” [link added].

That vulnerability was documented in more detail at exploit archive Packet Storm Security in March 2020 and indexed by Check Point Software in May 2020, suggesting it still persists in current versions of the product.

The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. This advice is the same whether you’re using a mobile or desktop device. In fact, this phishing framework specialized in lures specifically designed to be loaded on mobile devices.

Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark so as to avoid potential typosquatting sites.

Further reading:

uAdmin Show & Tell
Gathering Intelligence on the Qakbot banking Trojan

ValidCC, a dark web bazaar run by a cybercrime group that for more than six years hacked online merchants and sold stolen payment card data, abruptly closed up shop last week. The proprietors of the popular store said their servers were seized as part of a coordinated law enforcement operation designed to disconnect and confiscate its infrastructure.

There are dozens of online shops that sell so-called “card not present” (CNP) payment card data stolen from e-commerce stores, but most source the data from other criminals. In contrast, researchers say ValidCC was actively involved in hacking and pillaging hundreds of online merchants — seeding the sites with hidden card-skimming code that siphoned personal and financial information as customers went through the checkout process.

Russian cybersecurity firm Group-IB published a report last year detailing the activities of ValidCC, noting the gang behind the crime shop was responsible for plundering nearly 700 e-commerce sites. Group-IB dubbed the gang “UltraRank,” which it said had additionally compromised at least 13 third-party suppliers whose software components are used by countless online stores across Europe, Asia, North and Latin America.

Group-IB believes UltraRank is responsible for a slew of hacks that other security firms previously attributed to at least three distinct cybercrime groups.

“Over five years….UltraRank changed its infrastructure and malicious code on numerous occasions, as a result of which cybersecurity experts would wrongly attribute its attacks to other threat actors,” Group-IB wrote. “UltraRank combined attacks on single targets with supply chain attacks.”

ValidCC’s front man on multiple forums — a cybercriminal who uses the hacker handle “SPR” — told customers on Jan. 28 that the shop would close for good following what appeared to be a law enforcement takedown of its operations. SPR claims his site lost access to a significant inventory — more than 600,000 unsold stolen payment card accounts.

“As a result, we lost the proxy and destination backup servers,” SPR explained. “Besides, now it’s impossible to open and decrypt the backend. The database is in the hands of the police, but it’s encrypted.”

ValidCC had thousands of users, some of whom held significant balances of bitcoin stored in the shop when it ceased operations. SPR claims the site took in approximately $100,000 worth of virtual currency deposits each day from customers.

Many of those customers took to the various crime forums where the shop has a presence to voice suspicions that the proprietors had simply decided to walk away with their money at a time when Bitcoin was near record-high price levels.

SPR countered that ValidCC couldn’t return balances because it no longer had access to its own ledgers.

“We don’t know anything!,” SPR pleaded. “We don’t know users’ balances, or your account logins or passwords, or the [credit cards] you purchased, or anything else! You are free to think what you want, but our team has never conned or let anyone down since the beginning of our operations! Nobody would abandon a dairy cow and let it die in the field! We did not take this decision lightly!”

Group-IB said ValidCC was one of many cybercrime shops that stored some or all of its operational components at Media Land LLC, a major “bulletproof hosting” provider that supports a vast array of phishing sites, cybercrime forums and malware download servers.

Assuming SPR’s claims are truthful, it could be that law enforcement agencies targeted portions of Media Land’s digital infrastructure in some sort of coordinated action. However, so far there are no signs of any major uproar in the cybercrime underground directed at Yalishanda, the nickname used by the longtime proprietor of Media Land.

ValidCC’s demise comes close on the heels of the shuttering of Joker’s Stash, by some accounts the largest underground shop for selling stolen credit card and identity data. On Dec. 16, 2020, several of Joker’s long-held domains began displaying notices that the sites had been seized by the U.S. Department of Justice and Interpol. Less than a month later, Joker announced he was closing the shop permanently.

And last week, authorities across Europe seized control over dozens of servers used to operate Emotet, a prolific malware strain and cybercrime-as-service operation. While there are no indications that action targeted any criminal groups apart from the Emotet gang, it is often the case that multiple cybercrime groups will share the same dodgy digital infrastructure providers, knowingly or unwittingly.

Gemini Advisory, a New York-based firm that closely monitors cybercriminal stores, said ValidCC’s administrators recently began recruiting stolen card data resellers who previously had sold their wares to Joker’s Stash.

Stas Alforov, Gemini’s director of research and development, said other card shops will quickly move in to capture the customers and suppliers who frequented ValidCC.

“There are still a bunch of other shops out there,” Alforov said. “There’s enough tier one shops out there that sell card-not-present data that haven’t dropped a beat and have even picked up volumes.”

The unprecedented volume of unemployment insurance fraud witnessed in 2020 hasn’t abated, although news coverage of the issue has largely been pushed off the front pages by other events. But the ID theft problem is coming to the fore once again: Countless Americans will soon be receiving notices from state regulators saying they owe thousands of dollars in taxes on benefits they never received last year.

One state’s experience offers a window into the potential scope of the problem. Hackers, identity thieves and overseas criminal rings stole over $11 billion in unemployment benefits from California last year, or roughly 10 percent of all such claims the state paid out in 2020, the state’s labor secretary told reporters this week. Another 17 percent of claims — nearly $20 billion more – are suspected fraud.

California’s experience is tracked at a somewhat smaller scale in dozens of other states, where chronically underfunded and technologically outdated unemployment insurance systems were caught flat-footed by an avalanche of fraudulent claims. The scammers typically use stolen identity data to claim benefits, and then have the funds credited to an online account that they control.

States are required to send out 1099-G forms reporting taxable income by Jan. 31, and under federal law unemployment benefits are considered taxable income. Unfortunately, many states have not reconciled their forms with confirmed incidences of fraudulent unemployment insurance claims, meaning many people are being told they owe a great deal more in taxes than they actually do.

In a notice posted Jan. 28, the U.S. Internal Revenue Service urged taxpayers who receive forms 1099-G for unemployment benefits they didn’t actually get because of ID theft to contact their appropriate state agency and request a corrected form.

But the IRS’s advice ignores two rather inconvenient realities. The first is that the same 1099-G forms which states are sending to their citizens also are reported to the IRS — typically at the same time the notices are mailed to residents. The other is that many state agencies are completely overwhelmed right now.

Karl Fava, a certified public accountant in Michigan, told KrebsOnSecurity two of his clients have received 1099-G forms from Michigan regarding thousands of dollars in unemployment payments that they had neither requested nor received.

Fava said Michigan recently stood up a website where victims of unemployment insurance fraud who’ve received incorrect 1099-Gs can report it, but said he’s not confident the state will issue corrected notices before the April 15 tax filing deadline.

“In both cases, the recipients contacted the state but couldn’t get any help,” Fava said. “We’re not getting a lot of traction in resolving this issue. But the fact that they’ve now created a web page where people can input information about receiving these tells you they have to know how prevalent this is.”

Fava said for now he’s advising his clients who are dealing with this problem to acknowledge the amount of fraudulent income on their federal tax returns, but also to subtract an equal amount on the return and note that the income reported by the state was due to fraud.

“That way, things can be consistent with what the IRS already knows,” Fava said. “Not to acknowledge an issue like this on a federal return is just asking for a notice from the IRS.”

The Taxpayer Advocate Service, an independent office of the U.S. Internal Revenue Service (IRS) that champions taxpayer advocacy issues, said it recently became aware that some taxpayers are receiving 1099-Gs that include reported income due to unemployment insurance identity theft. The office said it is hearing about a lot of such issues in Ohio particularly, but that the problem is happening nationally.

Another perennial (albeit not directly related) identity theft scourge involving taxes each year is refund fraud. Tax refund fraud involves the use of identity information and often stolen or misdirected W-2 forms to electronically file an unauthorized tax return for the purposes of claiming a refund in the name of a taxpayer.

Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.  

The best way to avoid tax refund fraud is to file your taxes as early possible. This year, that date is Feb. 12. One way the IRS has sought to stem the flow of bogus tax refund applications is to issue the IP PIN, which is a six-digit number assigned to taxpayers that helps prevent the use of their Social Security number on a fraudulent income tax return. Each PIN is good only for the tax year for which it was issued.

Until recently the IRS restricted who could apply for an IP PIN, but the program has since been opened to all taxpayers. To create one, if you haven’t already done so you will need to plant your flag at the IRS by stepping through the agency’s “secure access authentication” process.

Creating an account requires supplying a great deal of personal data; the information that will be requested is listed here.

The signup process requires one to validate ownership of a mobile phone number in one’s name, and it will reject any voice-over-IP-based numbers such as those tied to Skype or Google Voice. If the process fails at this point, the site should offer to send an activation code via postal mail to your address on file.

Once you have an account at the IRS and are logged in, you can request an IP PIN by visiting this link and following the prompts. The site will then display a six digit PIN that needs to be included on your federal return before it can be accepted. Be sure to print out a copy and save it in a secure place.

U.S. and Bulgarian authorities this week seized the darkweb site used by the NetWalker ransomware cybercrime group to publish data stolen from its victims. In connection with the seizure, a Canadian national suspected of extorting more than $27 million through the spreading of NetWalker was charged in a Florida court.

NetWalker is a ransomware-as-a-service crimeware product in which affiliates rent access to the continuously updated malware code in exchange for a percentage of any funds extorted from victims. The crooks behind NetWalker used the now-seized website to publish personal and proprietary data stolen from their prey, as part of a public pressure campaign to convince victims to pay up.

NetWalker has been among the most rapacious ransomware strains, hitting at least 305 victims from 27 countries — the majority in the United States, according to Chainalysis, a company that tracks the flow virtual currency payments.

“Chainalysis has traced more than $46 million worth of funds in NetWalker ransoms since it first came on the scene in August 2019,” the company said in a blog post detailing its assistance with the investigation. “It picked up steam in mid-2020, growing the average ransom to $65,000 last year, up from $18,800 in 2019.”

In a statement on the seizure, the Justice Department said the NetWalker ransomware has impacted numerous victims, including companies, municipalities, hospitals, law enforcement, emergency services, school districts, colleges, and universities. For example, the University of California, San Francisco paid $1.14 million last summer in exchange for a digital key needed to unlock files encrypted by the ransomware.

“Attacks have specifically targeted the healthcare sector during the COVID-19 pandemic, taking advantage of the global crisis to extort victims,” the DOJ said.

U.S. prosecutors say one of NetWalker’s top affiliates was Sebastien Vachon-Desjardins, of Gatineau, in Ottawa, Canada. An indictment unsealed today in Florida alleges Vachon-Desjardins obtained at least $27.6 million from the scheme.

The DOJ’s media advisory doesn’t mention the defendant’s age, but a 2015 report in the Gatineau local news website ledroit.com suggests this may not be his first offense. According to the story, a then-27-year-old Sebastien Vachon-Desjardins was sentenced to more than three years in prison for drug trafficking: He was reportedly found in possession of more than 50,000 methamphetamine tablets.

The NetWalker action came on the same day that European authorities announced a coordinated takedown targeting the Emotet crimeware-as-a-service network. Emotet is a pay-per-install botnet that is used by several distinct cybercrime groups to deploy secondary malware — most notably the ransomware strain Ryuk and Trickbot, a powerful banking trojan.

The NetWalker ransomware affiliate program kicked off in March 2020, when the administrator of the crimeware project began recruiting people on the dark web. Like many other ransomware programs, NetWalker does not permit affiliates to infect systems physically located in Russia or in any other countries that are part of the Commonwealth of Independent States (CIS) — which includes most of the nations in the former Soviet Union. This is a prohibition typically made by cybercrime operations that are coordinated out of Russia and/or other CIS nations because it helps minimize the chances that local authorities will investigate their crimes.

The following advertisement (translated into English by cybersecurity firm Intel 471) was posted by the NetWalker affiliate program manager last year to a top cybercrime forum. It illustrates the allure of the ransomware affiliate model, which handles everything from updating the malware to slip past the latest antivirus updates, to leasing space on the dark web where affiliates can interact with victims and negotiate payment. The affiliate, on the other hand, need only focus on finding new victims.

We are recruiting affiliates for network processing and spamming.
We are interested in people whose priority is quality and not quantity.
We prefer candidates who can work with large networks and have their own access to them.
We are going to recruit a limited number of affiliates and then close the openings until they are available again.

We offer you prompt and flexible ransomware, a user-friendly admin panel in Tor, an automated service.

Encryption of shared accesses: if several users are logged in to the target computer, the ransomware will infect their mapped drives, as well as network resources where those users are logged in — shared accesses/NAS etc.

Powershell build. Each build is unique, in that the malware is inside the script – it is not downloaded from the internet. This makes bypassing antivirus protection easier, including Windows Defender (cloud+).

A fully automated blog where the victim’s dumped data is directed. The data is published according to your settings. Instant and automated payouts: initially 20 percent, no less than 16 percent.

Accessibility of a crypting service to avoid AV detections.

The ransomware has been in use since September 2019 and proved to be reliable. The files encrypted with it cannot be decrypted.

Targeting Russia or the CIS is prohibited.

You’ll get all the information about the ransomware as well as terms and conditions after you place an application via PM.

Application form:
1) The field you specialize in.
2) Your experience. What other affiliate programs have you been in and what was your profit?
3) How many accesses [to networks] do you have? When are you ready to start? How many accesses do you plan on monetizing?