, NetWalker Ransomware Suspect Charged: Tor Site Seized

The suspect allegedly has extorted $27.6 million from ransomware victims, mostly in the healthcare sector.

Hot on the heels of the Emotet takedown announced Wednesday, the NetWalker ransomware has also been partially disrupted by an international police action.

The Department of Justice said Wednesday that it has brought charges “against a Canadian national in relation to NetWalker ransomware attacks,” while also seizing around $454,500 in cryptocurrency from ransom payments made by three separate victims.

The Canadian in question, Sebastien Vachon-Desjardins of Gatineau, is alleged to have raked in more than $27.6 million overall from NetWalker activities. It’s unclear what specific part he played in the ransomware’s overall operations, nor if he is in custody. Threatpost has reached out for further information.

, NetWalker Ransomware Suspect Charged: Tor Site Seized

“This represents a significant win for the good guys,” Brett Callow, threat analyst at Emisoft, told Threatpost. “Historically, too few cybercriminals have been prosecuted. Hopefully, actions such as this will create a real deterrent and, coupled with other measures, start to have an impact on ransomware and other forms of cybercrime.”

He pointed out that according to Third Way, the effective enforcement rate for cybercrime in the U.S. is only 0.05 percent – which the think-tank describes as a “stunning enforcement gap.”

NetWalk of Shame

The NetWalker ransomware has impacted numerous types of victims since bursting on the scene in 2020; but it has made healthcare targets a particular focus, using the COVID-19 pandemic to better extort organizations.

NetWalker’s victims include the University of California – San Francisco (a leading institution in biological and medical research and home to a medical school and a medical center); the Crozer-Keystone Health System, Champaign-Urbana Public Health District and the College of Nurses of Ontario. It is also the scourge behind one of the Toll Group attacks.

In mid-2020, NetWalker authors notably transitioned to a ransomware-as-a-service (RaaS) model, where they rent the malware and surrounding services to affiliates who carry out the actual attacks. Authors and affiliates then split the profits. Its operators are known for placing a heavy emphasis on targeting and attracting technically advanced affiliates, according to researchers, with special expertise in network access.

Dark Web Site Seized

Meanwhile, the Bulgarian national police force has disabled “a Dark Web hidden resource used to communicate with NetWalker ransomware victims” to provide payment instructions; researchers said the Tor node is also the group’s leaks site, where it publishes stolen victim information if the target refuses to pay a ransom in a form of double extortion.

“We are striking back against the growing threat of ransomware by not only bringing criminal charges against the responsible actors, but also disrupting criminal online infrastructure and, wherever possible, recovering ransom payments extorted from victims,” said Acting Assistant Attorney General Nicholas L. McQuaid of the Justice Department’s Criminal Division, in a statement. “Ransomware victims should know that coming forward to law enforcement as soon as possible after an attack can lead to significant results like those achieved in today’s multi-faceted operation.”

Earlier on Wednesday researchers reported on Twitter that NetWalker’s Dark Web site was displaying a purported seizure notice.

The Feds confirmed the action a few hours later.

Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!