FBI Takes On Ransomware Giant NetWalker

Published: 29 January 2021

Since Netwalker appeared in 2019, more that $46 million in transactions have been traced to it. (Source: U.S. Department of Justice)Since Netwalker appeared in 2019, more that $46 million in transactions have been traced to it. (Source: U.S. Department of Justice)

By Sadie Brown

In a coordinated international effort, the FBI made critical advances in taking down the ransomware NetWalker by disrupting its dark web communication site, confiscating nearly half a million dollars in cryptocurrency payments and charging a Canadian man related to the attacks, according to a U.S. Department of Justice press release.

Netwalker attacks targeted municipalities, law enforcement, educational institutions, public services and lately, the healthcare sector during a pandemic, demanding ransom payments for access to hijacked data.

“This caseillustrates the FBI’s capabilities and global partnerships in tracking ransomware attackers, unmasking them, and holding them accountable for their alleged criminal actions,” Special Agent in Charge Michael F. McPherson said in a statement. 

The indictment of Sebastien Vachon-Dejardins of Quebec, unsealed Wednesday, alleged that he collected over US$27.6 million in payments for hostaged data. Authorities recovered about $454,000 in cryptocurrency allegedly received as ransom payments in three different attacks.  

Vachon-Dejardins is only one actor in the global ransomware operation. NetWalker works as a service, leasable to affiliates like Vachon-Dejardins who carry out attacks on targets of their choosing and split profits with the creators of the service, according to court documents. If targets don’t pay up, affiliates steal the data they hijacked or in some cases, publish it. 

The cryptocurrency watchdog Chainalysis reported that since it appeared in 2019 it has traced more that $46 million in transactions to NetWalker and identified fewer that 20 different affiliates of the ransomware. 

Authorities in Bulgaria this week assisted the investigation by shutting down the dark web portal used to communicate with and extort NetWalker victims. 

The DOJ encouraged people targeted by the attacks to speak up quickly. 

“Ransomware victims should know that coming forward to law enforcement as soon as possible after an attack can lead to significant results like those achieved in today’s multi-faceted operation,” said Acting Assistant Attorney General Nicholas L. McQuaid.