NetWalker Ransomware Suspect Charged: Tor Site Seized

netwalker ransomware takedown

The suspect allegedly has extorted $27.6 million from ransomware victims, mostly in the healthcare sector.


Hot on the heels of the Emotet takedown announced Wednesday, the NetWalker ransomware has also been partially disrupted by an international police action.

The Department of Justice said Wednesday that it has brought charges “against a Canadian national in relation to NetWalker ransomware attacks,” while also seizing around $454,500 in cryptocurrency from ransom payments made by three separate victims.

The Canadian in question, Sebastien Vachon-Desjardins of Gatineau, is alleged to have raked in more than $27.6 million overall from NetWalker activities, as an affiliate to the operation. Affiliates partner with ransomware gangs in order to gain access to the malware, but they carry the actual attacks out themselves and pocket as much as 80 percent of the ransom in return.

He has been arrested in Canada; the U.S. has requested extradition. He is already set to return to the United States to stand trial in Florida for theft and drug trafficking, according to reports.

NetWalker affiliate Sebastien Vachon-Desjardins, in a Facebook photo. Source: Journal de Montreal.

“This represents a significant win for the good guys,” Brett Callow, threat analyst at Emisoft, told Threatpost. “Historically, too few cybercriminals have been prosecuted. Hopefully, actions such as this will create a real deterrent and, coupled with other measures, start to have an impact on ransomware and other forms of cybercrime.”

He pointed out that according to Third Way, the effective enforcement rate for cybercrime in the U.S. is only 0.05 percent – which the think-tank describes as a “stunning enforcement gap.”

According to an analysis from Chainanalysis, Vachon-Desjardins carried out 91 total ransomware attacks, with NetWalker but also as an affiliate for REvil and Ragnar Locker as well.

NetWalk of Shame

The NetWalker ransomware has impacted numerous types of victims since bursting on the scene in 2020; but it has made healthcare targets a particular focus, using the COVID-19 pandemic to better extort organizations.

NetWalker’s victims include the University of California – San Francisco (a leading institution in biological and medical research and home to a medical school and a medical center); the Crozer-Keystone Health System, Champaign-Urbana Public Health District and the College of Nurses of Ontario. It is also the scourge behind one of the Toll Group attacks.

In mid-2020, NetWalker authors notably transitioned to a ransomware-as-a-service (RaaS) model, where they rent the malware and surrounding services to affiliates who carry out the actual attacks. Authors and affiliates then split the profits. Its operators are known for placing a heavy emphasis on targeting and attracting technically advanced affiliates, according to researchers, with special expertise in network access.

Dark Web Site Seized

Meanwhile, the Bulgarian national police force has disabled “a Dark Web hidden resource used to communicate with NetWalker ransomware victims” to provide payment instructions; researchers said the Tor node is also the group’s leaks site, where it publishes stolen victim information if the target refuses to pay a ransom in a form of double extortion.

“We are striking back against the growing threat of ransomware by not only bringing criminal charges against the responsible actors, but also disrupting criminal online infrastructure and, wherever possible, recovering ransom payments extorted from victims,” said Acting Assistant Attorney General Nicholas L. McQuaid of the Justice Department’s Criminal Division, in a statement. “Ransomware victims should know that coming forward to law enforcement as soon as possible after an attack can lead to significant results like those achieved in today’s multi-faceted operation.”

Earlier on Wednesday researchers reported on Twitter that NetWalker’s Dark Web site was displaying a purported seizure notice.

The Feds confirmed the action a few hours later.

“While the seizure is a step in the right direction, it is still unknown if it will have a significant impact to the group’s activities, unless the operators have been apprehended,” Ivan Righi, cyber-threat intelligence analyst at Digital Shadows, told Threatpost. “It is likely that the operators of NetWalker will simply create another data-leak site, as other groups such as Conti and Maze have done previously. Another positive outcome of the law enforcement action is the potential discovery of decryption keys that could help current victims access their files.”

This article was updated at 4:45 p.m. ET on Jan. 29 to include information about the suspect’s detainment, extradition and other alleged illegal activity.

Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!


Suggested articles