Share this article on:
The U.S. Department of Justice (DOJ) has announced a dark web website used by the NetWalker ransomware gang has been seized as part of a global action to disrupt operations and bring the individuals responsible for the file-encrypting extortion attacks to justice.
The action was taken in coordination with the United States Attorney’s Office for the Middle District of Florida, the Computer Crime and Intellectual Property Section of the Department of Justice, with substantial assistance provided by the Bulgarian National Investigation Service and General Directorate Combatting Organized Crime. The announcement comes just a few hours after Europol an international effort that resulted in the takedown of the Emotet Botnet.
The NetWalker ransomware gang is one of around 20 ransomware-as-a-service (RaaS) operators that recruit affiliates to distribute ransomware for a cut of any ransom payments they generate. The NetWalker gang started operating in late 2019. Since then, the ransomware has proven popular with affiliates and many attacks have been conducted. It has been estimated that in the first 5 months of the operation, the gang had generated around $25 million in ransom payments, around $1.14 million of which was paid by the University of California San Francisco to recover data encrypted in June 2020 attack. The total amount of ransom payments is believed to be in excess of $46 million.
The gang has attacked businesses and organizations in a range of different sectors, with the healthcare industry targeted throughout the pandemic. Attacks have also been conducted on schools, colleges, universities, companies, municipalities, and the emergency services.
The investigation into the NetWalker ransomware operation was led by the FBI’s Tampa Field Office and has so far resulted in one arrest. Sebastien Vachon-Desjardins of Gatineau, a Canadian national, has been indicted for his involvement in extortion attacks as an affiliate of the operation. The DOJ alleges Vachon-Desjardins obtained more than $27.6 million in ransom payments since at least April 2020. Vachon-Desjardins is believed to have been responsible, as an affiliate, for hacking networks and deploying ransomware, for which he received 80% of the ransom payments he generated. He is believed to have conducted at least 91 attacks in 8 months. According to a report from Chainalysis, Vachon-Desjardins is also suspected of working with other RaaS operations.
The DOJ said $454,530 in cryptocurrency, paid by three victims of the ransomware attacks, has been seized and Bulgarian law enforcement officials have taken control of a dark web website used by NetWalker ransomware affiliates to communicate with victims and provide instructions for paying ransoms. The website now has a notice explaining the resource is under the control of law enforcement.
The developers of the ransomware are still at large and only one affiliate has been arrested out of more than a dozen, but the action will have caused some disruption to the operation and further arrests may follow.
“We are striking back against the growing threat of ransomware by not only bringing criminal charges against the responsible actors, but also disrupting criminal online infrastructure and, wherever possible, recovering ransom payments extorted from victims,” said Acting Assistant Attorney General Nicholas L. McQuaid of the Justice Department’s Criminal Division. “Ransomware victims should know that coming forward to law enforcement as soon as possible after an attack can lead to significant results like those achieved in today’s multi-faceted operation.”
McQuaid also took the opportunity to encourage victims of ransomware attacks to contact law enforcement, saying, “Ransomware victims should know that coming forward to law enforcement as soon as possible after an attack can lead to significant results like those achieved in today’s multi-faceted operation.”