Law enforcement agencies from several countries have teamed up in a coordinated effort against a ransomware called NetWalker. According to the US Department of Justice’s announcement, NetWalker was used to attack schools, hospitals, companies, government agencies and emergency services. Bad actors used it as a tool to target the healthcare sector during the COVID-19 pandemic, in particular, “taking advantage of the global crisis to extort victims.”
NetWalker uses the ransomware-as-a-service model, wherein “developers” are in charge of creating and updating the ransomware for “affiliates.” Meanwhile, those affiliates are responsible for identifying and attacking high-value victims. They spend weeks elevating their privileges in the victims’ network before sending a ransom note with the amount they’re demanding. The two groups then split the ransom victims pay to get their files unlocked.
The DOJ says Bulgarian authorities seized a dark web site NetWalker affiliates use to tell victims how they can pay ransom earlier this week. That site now displays a banner with a notice that it’s been seized by authorities. A Canadian national from Gatineau named Sebastien Vachon-Desjardins was also charged in a Florida court, accusing him of obtaining over $27.6 million from NetWalker-related activities as an affiliate. Finally, on January 10th, authorities managed to get their hands on $454,530.19 worth of cryptocurrency, which is made up of payments made by three NetWalker victims.
That’s just a tiny fraction of the money that changed hands due to the ransomware, though. As KrebsOnSecurity notes, Chainalysis traced more than $46 million worth of funds in NetWalker ransoms since it first popped up back in August 2019. Acting Assistant Attorney General Nicholas L. McQuaid is encouraging victims to come forward as soon as possible after an attack, because that could lead to significant results. He said:
“We are striking back against the growing threat of ransomware by not only bringing criminal charges against the responsible actors, but also disrupting criminal online infrastructure and, wherever possible, recovering ransom payments extorted from victims. Ransomware victims should know that coming forward to law enforcement as soon as possible after an attack can lead to significant results like those achieved in today’s multi-faceted operation.”
The DOJ’s announcement came out on the same day Europol revealed that authorities in the US, Canada and several European countries have disrupted the infrastructure for Emotet. It’s known as one of the “most dangerous” botnets in the world, seeing as it’s good at evading antivirus tools and can be used to deliver ransomware and other malware.