Alpha Ransomware Linked To Netwalker Operation Dismantled In 2021

Alpha ransomware code and new leak site similar to defunct NetWalker

Security researchers analyzing the Alpha ransomware payload and modus operandi discovered overlaps with the now-defunct Netwalker ransomware operation.

Netwalker was a prolific ransomware-as-a-service (RaaS) active between October 2019 and January 2021, when law enforcement seized its dark web sites, resulting in its operators going silent.

The Alpha ransomware operation (not to be confused with ALPHV/BlackCat) emerged in February 2023 but kept a low profile, didn’t promote on hacker forums, nor did its operators carry out many attacks.

This changed recently when the group launched a data leak site to list victims and publish files stolen from breached networks.

At the time of writing, Alpha shows nine victims on its extortion portal, and for eight of them the threat actor has already published the stolen files.

Alpha's extortion site
Alpha’s extortion site (BleepingCompouter)

A Neterich report from January 29 says that Alpha has gradually grown more sophisticated.

In the most recent version, the ransomware appends a random 8-character alphanumeric extension to encrypted files.

Also, after many ransom note iterations, the latest includes instructions for victims to contact the threat actor over a messaging service.

The reported ransom demand, according to Neterich, ranges between 0.272 BTC ($13,200 by today’s exchange rate) and up to $100,000, likely depending on the business size of the victim.

Links to Netwalker

A new report published today by Symantec’s threat analysts links Alpha to the defunct Netwalker ransomware, based on tools and tactics, techniques, and procedures used in attacks.

The key similarities the Symantec highlights include the following:

  • Both Netwalker and Alpha ransomware use a similar PowerShell-based loader to deliver their payloads.
  • Significant code overlaps in the payload, including the general execution flow of the main functionalities, termination of processes and services, and similarities in invoking system APIs.
Use of custom import address tables
Use of custom import address tables (Netwalker left, Alpha right) (Symantec)
  • Configuration similarities in the list of folders, files, and extensions to be skipped, as well as the processes and services to be killed.
  • Both delete themselves using a temporary batch file after the completion of the encryption process.
  • The payment portals for both Netwalker and Alpha contain the same message: “For enter, please use user code.”
Comparison of portals (NetWalker left)
Comparison of portals (NetWalker left, Alpha right) (Symantec)

Symantec also reports that recent Alpha attacks extensively employ living-off-the-land tools, including Taskkill, PsExec, Net.exe, and Reg.exe, for evasion. However, this is common to many ransomware gangs.

The above similarities indicate a strong link between NetWalker and Alpha’s developers, which could either mean a revival of NetWalker under the Alpha brand or that its code is being reused by a new threat group.

Symantec notes that a new attacker could have acquired the NetWalker payload and adapted it for their ransomware operation.

Although it is not currently a significant player on the ransomware scene, Alpha is regarded as an emerging threat organizations should watch out for.


Original Source


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

To keep up to date follow us on the below channels.