Joint Operation Between The U.S. And Bulgaria Disrupted The NetWalker Ransomware Attacks

Ransomware is a malicious software that infects victims' computer and displays messages demanding a fee to be paid.

This money-making scheme has become one of the most common form of attacks, in which the malicious actors trick victims through deceptive links in email messages, instant messages or websites.

Using malicious software, malware gangs can infect victims' computers and hold the data within as ransom. Ransomware can lock a computer screen, encrypt its hard drive, and more. After that, the malware can then display a message to demand payment in order for the system to work again.

Over the recent years, ransomware has evolved to become one of the most prevalent forms of cyberattack that directly threatens governments, enterprises, and non-governmental organization around the world.

And NetWalker is one of the most common and widely-used Ransomware-as-a-Service product. It's considered one of 2020's most active ransomware gangs.

And here, law enforcements from the U.S. and Bulgaria have disrupted the infrastructure of this NetWalker operations,

NetWalker's dark web portal has been seized by the authorities.
NetWalker's dark web portal has been seized by the authorities

The authorities in the U.S. indicted a Canadian citizen Sebastien Vachon-Desjardins of Gatineau, who allegedly made at least $27.6 million from infecting companies with the NetWalker ransomware.

The U.S. authorities said they had also seized about $455,000 in cryptocurrency from ransom payments in three separate attacks.

At the same time, authorities in Bulgaria seized a server used to host dark web portals for the NetWalker gang. Upon inspections, the seized servers were found to host pages where victims of NetWalker attacks were redirected to communicate with the attackers and negotiate the ransom demands.

The same server also hosted a blog section where the NetWalker gang would leak data they stole from hacked companies, if they refused to pay the ransom demand.

"Ransomware victims should know that coming forward to law enforcement as soon as possible after an attack can lead to significant results like those achieved in today's multi-faceted operation," said Nicholas McQuaid, an acting assistant attorney general with the Justice Department, said in a statement, as quoted in a post on the Department of Justice's website.

Initially, the authorities didn't disclose who Vachon-Desjardins really is, or whether he is the creator of the NetWalker ransomware, or one of its affiliates who rented the ransomware code from the original creator.

But court records show that Vachon-Desjardins was indicted in Florida on several counts, including conspiracy to commit computer-related fraud and intentionally damaging a computer.

[block:block=87]
NetWalker's blog before it was taken down.
NetWalker's blog before it was taken down

NetWalker ransomware has impacted numerous victims, including companies, municipalities, hospitals, law enforcement, emergency services, school districts, colleges and universities. Recent attacks have specifically targeted the health-care sector during the COVID-19 pandemic, taking advantage of the global crisis to extort victims.

Brett Callow, a Vancouver Island-based threat analyst with cybersecurity firm, Emsisoft, said that the group has made millions.

In one case in 2020, the gang managed to extort $1.4 million from a California university.

A report from McAfee published in August 2020, said that the NetWalker ransomware operation earned more than $25 million from ransom payments from March to July 2020 alone.

Before the take down, NetWalker operated through several underground forums dedicated to hackers, with posts coming from a user named 'Bugatti'.

This user advertised the ransomware's features and looked for "partners" (affiliates) that want to breach corporate networks, steal data to be used as leverage during negotiations, and install the ransomware to encrypt files.

If victims paid, this Bugatti and the affiliate would split the ransom payments.

The NetWalker disruption came on the same day that agencies in 8 different countries announced a takedown of the Emotet botnet.