DOJ charges suspect in NetWalker ransomware attacks

A coordinated law enforcement effort has stopped NetWalker dead in its tracks.

The U.S. Department of Justice (DOJ) Wednesday announced the notorious ransomware as a service had been disrupted, thanks to an international operation with Bulgaria's National Investigation Service and General Directorate Combating Organized Crime. Affiliates of NetWalker, which was discovered in September 2019, use phishing techniques and pressured victims to pay ransoms by threatening to leak data to a public "shame" site.

According to the DOJ announcement, the disruption includes charges against a Canadian national, Sebastien Vachon-Desjardins of Gatineau, who allegedly obtained over $27.6 million from ransomware attacks and related crybercrimes; the seizure of a dark web hidden service used by affiliates to communicate payment with victims; and almost $500,000 in cryptocurrency, comprised of ransom payments made in three separate NetWalker ransomware attacks. The announcement also detailed how these attacks work.

"According to the affidavit, once a victim's computer network is compromised and data is encrypted, actors that deploy NetWalker deliver a file, or ransom note, to the victim. Using Tor, a computer network designed to facilitate anonymous communications over the internet, the victim is then provided with the amount of ransom demanded and instructions for payment," the DOJ announcement said.

The DOJ said Bulgarian authorities this week seized the hidden service for NetWalker, but it's unclear if other infrastructure or operations were affected.

"We are striking back against the growing threat of ransomware by not only bringing criminal charges against the responsible actors, but also disrupting criminal online infrastructure and, wherever possible, recovering ransom payments extorted from victims," said Nicholas McQuaid, acting assistant attorney general of the Justice Department's criminal division, in the announcement. "Ransomware victims should know that coming forward to law enforcement as soon as possible after an attack can lead to significant results like those achieved in today's multi-faceted operation."

Once deployed, NetWalker allows actors to gain unauthorized access to a victim's computer network days or weeks prior to demanding the ransom. This provides time for reconnaissance such as elevating privileges within the network while spreading the ransomware from workstation to workstation. Threat actors behind the advanced ransomware variant have deployed it against municipalities, the education sector, law enforcement and hospitals.

The DOJ said NetWalker affiliates have specifically targeted healthcare organizations during the COVID-19 pandemic.

For example, in March an attack against the Champaign-Urbana Public Health District was attributed to NetWalker. As a result, the organization's website, used to provide updates and information on the coronavirus response efforts, was taken offline. The district moved updates to its Facebook page, where they finally announced that its website was back up, though further details were not provided about the attack or recovery.

In May, Bleeping Computer reported that NetWalker affiliates encrypted files at Michigan State University and threatened to leak the data if they did not meet a one-week ransom deadline. The operators took it a step further by publishing five images, taken from the university, on its public leak site. MSU released a statement June 3, which said it refused to pay.

The NetWalker disruption was announced on the same day as the takedown of the infamous botnet Emotet. Emotet, a banking Trojan first discovered in 2014 that later evolved into a prolific botnet, has consistently been recognized by security vendors and threat researchers as one of the top malware threats.