Menu
Browse

Cyber Threat Actor: Mailto

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Crime Syndicate
0 incidents
Profile

The threat actor known as Mailto, later rebranded as NetWalker, and separately identified as Nefilim (also referenced as Nemty), operates as a financially motivated ransomware group. NetWalker functions under a ransomware-as-a-service model, recruiting affiliates to conduct attacks, while Nefilim engages in double extortion by exfiltrating data prior to encryption. Both groups maintain dedicated leak sites to publish stolen victim data as leverage for ransom payments.

NetWalker and Nefilim target a broad range of sectors globally, including healthcare, education, government, energy, manufacturing, and transportation. NetWalker has compromised entities such as Lorien Health Services (impacting nearly 50,000 individuals), the University of California San Francisco (which paid a $1.14 million ransom), Argentina’s Dirección Nacional de Migraciones (disrupting border operations), and Pakistan’s K-Electric (causing billing system disruptions). Nefilim breached organizations including Whirlpool, Dussmann Group’s subsidiary DKA, Orange Business Services (exposing 20 enterprise customers), and Atlanta Allergy & Asthma (releasing patient health information). Initial access vectors include exploiting vulnerable VPN gateways (e.g., Citrix CVE-2019-19781 in Luxottica’s case), exposed Remote Desktop Protocol (RDP) servers with weak credentials (e.g., Equinix’s 74 servers), phishing emails, and unsecured databases (e.g., Mangatoon’s Elasticsearch instance protected by the password “password”). Both groups employ data exfiltration followed by encryption, with NetWalker additionally auctioning stolen data (e.g., Crozer-Keystone Health System’s financial records) on dark web platforms when ransoms are unpaid. Ransom demands are typically denominated in Bitcoin, ranging from $4.5 million for Equinix to $14 million for Enel Group, and include countdown timers to pressure victims. No verifiable state affiliations or criminal consortium partnerships are explicitly documented in the provided sources.

Incidents
Attributed incidents available to members
0 incidents
Sources
Sources available to members
52 sources