The U.S. Justice Department announced today the disruption of the Netwalker ransomware operation and the indictment of a Canadian national for alleged involvement in the file-encrypting extortion attacks.

Earlier today, BleepingComputer reported that law enforcement in the U.S. and Bulgaria seized Netwalker sites on the dark web used for leaking data from non-paying victims and for negotiating payments for data decryption.

In a press release published minutes ago, the DOJ confirms the success of the takedown effort in cooperation with the Bulgarian National Investigation Service and General Directorate Combating Organized Crime.

Netwalker affiliate charged

Despite starting in late 2019, Netwalker ransomware operation caused financial losses of tens of millions of US dollars. A report in August 2020 notes that the actors made $25 million in just five months of activity.

Apart from seizing the dark web sites, the DOJ says that Canadian national Sebastien Vachon-Desjardins of Gatineau was charged in relation to Netwalker ransomware attacks.

It is alleged that Desjardins obtained more than $27.6 million from the extortion activity. His role in the operation began at least in April 2020, indicating that he is an affiliate and not part of the developer crew.

“According to an indictment unsealed today, Sebastien Vachon-Desjardins of Gatineau, a Canadian national, was charged in the Middle District of Florida. Vachon-Desjardins is alleged to have obtained at least over $27.6 million as a result of the offenses charged in the indictment.”

The model that most ransomware developers follow for their operations is to deploy a service and recruit affiliates like Desjardins who find high-value victims, breach them and deploy Netwalker on their systems. The ransom money is then split between the two partners, with affiliates taking the largest cut.

On January 10, law enforcement was able to seize a little over $450,000 in cryptocurrency that represented ransom payments from three distinct Netwalker victims.

The threat actor's ransom demands vary according to the size and profitability of the target. Incident responders from Crypsis, a Palo Alto Networks company, told BleepingComputer that in the case of three U.S. organizations Netwalker asked for cryptocurrency worth $108,000  from a public entity, a little over $2 million from a utilities organization, and $1 million from a manufacturing business.

At least one of these victims paid the ransom to receive the utility that allowed the recovery of the files encrypted in the attack.

Netwalker has encrypted systems to some high-profile victims, including Equinix, Enel Group, the Argentian immigration agency, University of California San Francisco (UCSF), and K-Electric.

The threat actors also attacked municipalities, hospitals, law enforcement organizations, emergency services, school districs, colleges, and universities.

This operation does not mean it’s the end of the Netwalker operation but it’s definitely a step closer. Other affiliates exist and given how profitable this illegal business is, developers have plenty of candidates to choose from.

Update [February 1, 2021]: Article updated with information from the Crypsis Group.

Related Articles:

FBI seized $2.3M from affiliate of REvil, Gandcrab ransomware gangs

Yanluowang ransomware operation matures with experienced affiliates

Marine services provider Swire Pacific Offshore hit by ransomware

Magniber ransomware gang now exploits Internet Explorer flaws in attacks

Hackers target biomanufacturing with stealthy Tardigrade malware