U.S. and Bulgarian authorities this week took control of the dark web site used by the NetWalker ransomware cybercrime group to publish data stolen from its victims.
“We are striking back against the growing threat of ransomware by not only bringing criminal charges against the responsible actors, but also disrupting criminal online infrastructure and, wherever possible, recovering ransom payments extorted from victims,” said Acting Assistant Attorney General Nicholas L. McQuaid of the Justice Department’s Criminal Division.
“Ransomware victims should know that coming forward to law enforcement as soon as possible after an attack can lead to significant results like those achieved in today’s multi-faceted operation.”
In connection with the takedown, a Canadian national named Sebastien Vachon-Desjardins from the city of Gatineau was charged in the U.S. state of Florida for extorting $27.6 million in cryptocurrency from ransom payments.
Separately, the Bulgarian National Investigation Service and General Directorate Combating Organized Crime seized a dark web hidden resource used by NetWalker ransomware affiliates — i.e., cybercrime groups responsible for identifying and attacking high-value victims using the ransomware — to provide payment instructions and communicate with victims.
Visitors to the website will now be greeted by a seizure banner notifying them that it has been taken over by law enforcement authorities.
Chainalysis, which aided in the investigation, said it has “traced more than $46 million worth of funds in NetWalker ransoms since it first came on the scene in August 2019,” adding “it picked up steam in mid-2020, growing the average ransom to $65,000 last year, up from $18,800 in 2019.”
In recent months, Netwalker emerged as a popular choice of ransomware strain besides Ryuk, Maze, Doppelpaymer, and Sodinokibi, with numerous companies, municipalities, hospitals, schools, and universities targeted by the cybercriminals to extort victims.
Before the takedown, the NetWalker administrator, who goes by the moniker “Bugatti” on darknet forums, is said to have posted an advertisement in May 2020 looking for additional Russian-speaking affiliates as part of a transition to a ransomware-as-a-service (RaaS) model, using the partners to compromise targets and steal data before encrypting the files.
The NetWalker operators have also been part of a growing ransomware trend called double extortion, where the attackers hold the stolen data hostage and threaten to publish the information should the target refuse to pay the ransom.
“After a victim pays, developers and affiliates split the ransom,” the U.S. Department of Justice (DoJ) said.
Chainalysis researchers suspect that besides involving in at least 91 attacks using NetWalker since April 2020, Vachon-Desjardins worked as an affiliate for other RaaS operators such as Sodinokibi, Suncrypt, and Ragnarlocker.
The NetWalker disruption comes on the same day that European authorities announced a coordinated takedown targeting the Emotet crimeware-as-a-service network. The botnet has been used by several cybercrime groups to deploy second-stage malware — most notably Ryuk and TrickBot.