The FBI has launched an international investigation into the NetWalker ransomware operation, and prosecutors have filed an indictment on a key figure in the operation.
Florida courts charged Gatineau, Quebec-based Sebastien Vachon-Desjardins on December 2 and unsealed the indictment this week. The indictment accuses Vachon-Desjardins of computer fraud, conspiracy to commit wire fraud, intentional damage to a connected computer, and transmitting a demand in relation to that damage.
According to the Department of Justice (DoJ), Vachon-Desjardins allegedly obtained over $27.6 million from his fraudulent actions. On January 10, law enforcement officials also seized $454,530.19 in cryptocurrency, which the DoJ said came from three NetWalker victims.
NetWalker operates under a ransomware-as-a-service model, in which the code's owner allows affiliates to use it. The affiliates then pay the owner a commission from any successful ransomware operations. The affidavit accuses Vachon-Desjardins of transmitting ransomware himself and helping others to do the same.
NetWalker's operation was efficient in collecting payment, resulting in a lower-than-average resolution time for payments and data recovery, according to Coveware, a ransomware mitigation company. Coveware also reported that all NetWalker decryptions were successful after victims paid.
RELATED RESOURCE
Ransomware protection with Veritas NetBackup Appliances
How to use Veritas NetBackup and NetBackup Appliances to protect against and recover from ransomware attacks
The ransomware operation's success was partly due to it using the Tor dark web protocol that automated victims’ payments. In a report detailing the NetWalker operation, McAfee noted the company switched from email communication with victims entirely to the Tor site in March 2020.
This week, Bulgarian police seized an online property NetWalker affiliates used to deliver those payment instructions and replaced it with a seizure banner notifying victims of the takedown.
Attacks targeted a wide array of organizations, ranging from health care operations already under pressure from the pandemic through to educational facilities and local governments, and the operation was lucrative. Coveware reports the average NetWalker ransom payment was $344,000 in Q4 2020. However, some payments have been far higher. In June 2020, the University of California paid NetWalker criminals $1.14 million to recover encrypted data.
NetWalker attacks, which were mounted via phishing emails or through vulnerable remote desktop protocol (RDP) ports, didn’t always end with decryption. In some cases, affiliates would also exfiltrate the data and then charge victims not to publish it in what has become known as a double-extortion attack. Coveware has said that roughly half of all ransomware attacks now use this method.
-
Enterprise AI adoption is about to get the Big Brother treatmentOpinion Worried your staff aren’t using those shiny AI tools you petitioned for? Big tech has you covered
-
Dreamforce 2025: What's an agentic OS?ITPro Podcast NPUs, e-ink, and immersive headsets are the latest hardware innovations for business devices
-
Volkswagen confirms security ‘incident’ amid ransomware breach claimsNews Volkswagen has confirmed a security "incident" has occurred, but insists no IT systems have been compromised.
-
The number of ransomware groups rockets as new, smaller players emergeNews The good news is that the number of victims remains steady
-
Teens arrested over nursery chain Kido hacknews The ransom attack caused widespread shock when the hackers published children's personal data
-
NCA confirms arrest after airport cyber disruptionNews Disruption is easing across Europe following the ransomware incident
-
Cyber professionals are losing sleep over late night attacksNews Hackers are biding their time and launching attacks when businesses can’t respond
-
Prolific ransomware operator added to Europe’s Most Wanted list as US dangles $10 million rewardNews The US Department of Justice is offering a reward of up to $10 million for information leading to the arrest of Volodymyr Viktorovych Tymoshchuk, an alleged ransomware criminal.
-
Jaguar Land Rover “did the right thing” shutting down systems to thwart cyber attackNews The attack on Jaguar Land Rover highlights the growing attractiveness of the automotive sector
-
Ransomware attack on IT supplier disrupts hundreds of Swedish municipalitiesNews The attack on IT systems supplier Miljödata has impacted public sector services across the country
