A Canadian national has been indicted in the U.S. for using the NetWalker ransomware to target organisations worldwide, earning at least over $27.6 million, and using a dark web resource to blackmail ransomware victims.
Last week, the U.S. Department of Justice announced that the infrastructure of the feared NetWalker ransomware was taken down in a coordinated law enforcement operation which resulted in the seizure of almost half a million dollars in cryptocurrency, the destruction of a dark web resource in Bulgaria, and the indictment of a Canadian national who used the ransomware to earn tens of millions.
According to DoJ, operators of the NetWalker ransomware ran a well-oiled ransomware-as-a-service model, dividing themselves into two teams- developers and affiliates. While the developers updated and refined the ransomware for use in targeted attacks on unsuspecting companies, the affiliates identified and attacked high-value targets. Both the teams split the ransom following a successful operation.
The coordinated law enforcement operation resulted in the indictment of Sebastien Vachon-Desjardins, a Canadian national from whom authorities seized approximately $454,530.19 which he earned in the form of ransom payments from three victim companies. Authorities estimate that Vachon-Desjardins earned at least over $27.6 million through multiple NetWalker attacks.
Additionally, the Bulgarian National Investigation Service and the country's General Directorate Combating Organized Crime also seized a dark web resource that was used by the operators of NetWalker to communicate with victim companies and to provide payment instructions to the latter.
According to the indictment filed in the U.S., the ransom note was delivered through the dark web resource only after the operators of NetWalker were convinced that they had sufficiently infiltrated the victim’s network to extort payment.
"Actors that deploy NetWalker commonly gain unauthorised access to a victim’s computer network days or weeks prior to the delivery of the ransom note. During this time, they surreptitiously elevate their privileges within the network while spreading the ransomware from workstation to workstation. They then send the ransom note only once they are satisfied that they have sufficiently infiltrated the victim’s network to extort payment," DoJ said.
"NetWalker ransomware has impacted numerous victims, including companies, municipalities, hospitals, law enforcement, emergency services, school districts, colleges, and universities. Attacks have specifically targeted the healthcare sector during the COVID-19 pandemic, taking advantage of the global crisis to extort victims," it added.
Commenting on the takedown of the NetWalker infrastructure, Acting Assistant Attorney General Nicholas L. McQuaid of the Justice Department’s Criminal Division said: “We are striking back against the growing threat of ransomware by not only bringing criminal charges against the responsible actors, but also disrupting criminal online infrastructure and, wherever possible, recovering ransom payments extorted from victims.
“Ransomware victims should know that coming forward to law enforcement as soon as possible after an attack can lead to significant results like those achieved in today’s multi-faceted operation.”
“This action reflects the resolve of the U.S. Attorney’s Office for the Middle District of Florida to target and disrupt sophisticated, international cybercrime schemes. While these individuals believe they operate anonymously in the digital space, we have the skill and tenacity to identify and prosecute these actors to the full extent of the law and seize their criminal proceeds,” said U.S. Attorney Maria Chapa Lopez for the Middle District of Florida.
The takedown of the NetWalker ransomware took place within days after major law enforcement operation spanning Europe and North America succeeded in taking down the infrastructure of Emotet, one of the world's most popular and widely-used malware botnets since 2014.
Prior to its takedown, hackers distributed Emotet to thousands of IT networks and millions of computers worldwide using COVID-19-themed phishing emails, attaching password-protected Zip files in emails to bypass email security gateways, and stealing existing email chains from an infected host to reply to the chain using a spoofed identity and attaching a malicious document to trick recipients into opening the file.
A reason why Emotet was so successful in recent times is that the trojan was designed to change its code each time it was used, making it difficult for antivirus software to detect it based on known signatures. The malware was also known for its worm-like feature, quickly spreading across the network after infiltrating a device connected to the network.