Law enforcement agencies from Bulgaria and the US have disrupted this week the infrastructure of NetWalker, one of 2020’s most active ransomware gangs.
Bulgarian officials seized a server used to host dark web portals for the NetWalker gang, while officials in the US indicted a Canadian national who allegedly made at least $27.6 million from infecting companies with the NetWalker ransomware.
The seized servers were used to host pages where victims of NetWalker attacks were redirected to communicate with the attackers and negotiate ransom demands.
The same server also hosted a blog section where the NetWalker gang would leak data they stole from hacked companies, and which refused to pay the ransom demand — as a form of revenge and public shaming.
Details about the Canadian national indicted today are not yet available beyond his name and residence — Sebastien Vachon-Desjardins, of Gatineau.
Vachon-Desjardins is currently believed to be an “affiliate,” a person who rented the ransomware code from the NetWalker creator.
This type of business is called Ransomware-as-a-Service, or RaaS, and is a common setup employed by many ransomware gangs today.
Prior to today’s takedown, NetWalker operated through topics posted on several underground forums by a user named Bugatti. This user advertised the ransomware’s features and looked for “partners” (aka affiliates) that would breach corporate networks, steal data to be used as leverage during negotiations, and install the ransomware to encrypt files.
If victims paid, Bugatti and the affiliate would split the ransom payments according to a pre-negotiated agreement.
According to US authorities, NetWalker has impacted at least 305 victims from 27 different countries, including 203 in the US.
A report from McAfee published in August 2020 claimed the NetWalker ransomware operation earned more than $25 million from ransom payments from March to July 2020 alone — a number that has gone up, as the gang continued to operate until today’s takedown.
In a report published today, blockchain analysis firm Chainalysis updated that figure to more than $46 million for the entire 2020, putting NetWalker in the year’s top 5 grossing ransomware strains, next to Ryuk, Maze, Doppelpaymer, and Sodinokibi.
The same Chainalysis report also claims that Vachon-Desjardins also worked as an affiliate for other ransomware gangs, such as Sodinokibi, Suncrypt, and RagnarLocker.
Besides charging the Canadian natioanl, the US DOJ also said it also managed to seize $454,530.19 in cryptocurrency believed to be linked to ransom payments made by three past NetWalker victims.
The NetWalker disruption also comes on the same day that Europol and its partners announced a takedown of the Emotet botnet.