NetWalker ransomware mastermind indicted in Florida

The FBI has launched an international investigation into the NetWalker ransomware operation, and prosecutors have filed an indictment on a key figure in the operation. 

Florida courts charged Gatineau, Quebec-based Sebastien Vachon-Desjardins on December 2 and unsealed the indictment this week. The indictment accuses Vachon-Desjardins of computer fraud, conspiracy to commit wire fraud, intentional damage to a connected computer, and transmitting a demand in relation to that damage. 

According to the Department of Justice (DoJ), Vachon-Desjardins allegedly obtained over $27.6 million from his fraudulent actions. On January 10, law enforcement officials also seized $454,530.19 in cryptocurrency, which the DoJ said came from three NetWalker victims.

NetWalker operates under a ransomware-as-a-service model, in which the code's owner allows affiliates to use it. The affiliates then pay the owner a commission from any successful ransomware operations. The affidavit accuses Vachon-Desjardins of transmitting ransomware himself and helping others to do the same.

NetWalker's operation was efficient in collecting payment, resulting in a lower-than-average resolution time for payments and data recovery, according to Coveware, a ransomware mitigation company. Coveware also reported that all NetWalker decryptions were successful after victims paid.

The ransomware operation's success was partly due to it using the Tor dark web protocol that automated victims’ payments. In a report detailing the NetWalker operation, McAfee noted the company switched from email communication with victims entirely to the Tor site in March 2020.

This week, Bulgarian police seized an online property NetWalker affiliates used to deliver those payment instructions and replaced it with a seizure banner notifying victims of the takedown.

Attacks targeted a wide array of organizations, ranging from health care operations already under pressure from the pandemic through to educational facilities and local governments, and the operation was lucrative. Coveware reports the average NetWalker ransom payment was $344,000 in Q4 2020. However, some payments have been far higher. In June 2020, the University of California paid NetWalker criminals $1.14 million to recover encrypted data.

NetWalker attacks, which were mounted via phishing emails or through vulnerable remote desktop protocol (RDP) ports, didn’t always end with decryption. In some cases, affiliates would also exfiltrate the data and then charge victims not to publish it in what has become known as a double-extortion attack. Coveware has said that roughly half of all ransomware attacks now use this method.