US and Bulgarian authorities disrupt NetWalker ransomware operation


NetWalker

Image: McAfee, ZDNet

Law enforcement agencies from Bulgaria and the US have disrupted this week the infrastructure of NetWalker, one of 2020’s most active ransomware gangs.

Bulgarian officials seized a server used to host dark web portals for the NetWalker gang, while officials in the US indicted a Canadian national who allegedly made at least $27.6 million from infecting companies with the NetWalker ransomware.

The seized servers were used to host pages where victims of NetWalker attacks were redirected to communicate with the attackers and negotiate ransom demands.

The same server also hosted a blog section where the NetWalker gang would leak data they stole from hacked companies, and which refused to pay the ransom demand — as a form of revenge and public shaming.

Netwalker ransomware leak site

Image: ZDNet

Details about the Canadian national indicted today are not yet available beyond his name and residence — Sebastien Vachon-Desjardins, of Gatineau.

It is currently unclear if Vachon-Desjardins is the creator of the NetWalker ransomware or one of its “affiliates” who rented the ransomware code from the original creator.

This type of business is called Ransomware-as-a-Service, or RaaS, and is a common setup employed by many ransomware gangs today.

Prior to today’s takedown, NetWalker operated through topics posted on several underground forums by a user named Bugatti. This user advertised the ransomware’s features and looked for “partners” (aka affiliates) that would breach corporate networks, steal data to be used as leverage during negotiations, and install the ransomware to encrypt files.

If victims paid, Bugatti and the affiliate would split the ransom payments according to a pre-negotiated agreement.

A report from McAfee published in August 2020 claimed the NetWalker ransomware operation earned more than $25 million from ransom payments from March to July 2020 alone — a number that has gone up, as the gang continued to operate until today’s takedown.

Besides charging Vachon-Desjardins, the US DOJ also said it also managed to seize $454,530.19 in cryptocurrency believed to be linked to ransom payments made by three past NetWalker victims.

The NetWalker disruption also comes on the same day that Europol and its partners announced a takedown of the Emotet botnet.

Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published.