Authorities shut down Netwalker operations; main operator of the ransomware is arrested

In a recent report, the U.S. Department of Justice (DOJ) publicly disclosed the shutdown of the Netwalker ransomware operation, as well as bringing charges against Canadian citizen Sebastien Vachon-Desjardins of Gatineau, pointed out as the main criminal operator. This arrest was made possible by the joint work of the U.S. and Bulgarian authorities, who seized Netwalker’s dark web sites, in which threat actors published the stolen information to infected organizations.

Active since late 2019, Netwalker operators have generated severe financial losses for hundreds of organizations worldwide. DOJ documents mention that this cybercriminal group made about $25 million USD over the past five months.

La imagen tiene un atributo ALT vacío; su nombre de archivo es doj28012021.jpg

On the defendant, the authorities estimate that Desjardins made a net profit of more than $27 million USD. It should be mentioned that Desjardins began operating the cybercriminal infrastructure since mid-2020, so it was not involved in the development of this malware variant.

Netwalker operated as a ransomware-as-a-service (RaaS) platform, meaning developers were looking to do business with individuals like Desjardins, who are responsible for identifying potential victims and carrying out malicious activities that resulted in the compromise of affected systems. The gains made were shared between the attackers and the malware developers.

In an incident related to this investigation, the Federal Bureau of Investigation (FBI) managed to seize about $450,000 USD in cryptocurrencies, which were part of the profits made by these threat actors.

Among the most prominent victims of this ransomware operation are organizations such as Equinix, Enel Group, Argentina’s migration agency, the University of California San Francisco, as well as hundreds of small and medium-sized companies. Cybercriminals also attacked municipalities, hospitals, research agencies, emergency services, school districts, colleges, and universities throughout the U.S.

While this is a great achievement of the authorities in Bulgaria and the United States, it is too optimistic to think that this is the end of Netwalker’s operation. Detection of similar operations, the work done by developers, and the level of gains earned that authorities have been unable to track allow the DOJ to think that developers could re-operate a similar ransomware platform in the future.

For more information on vulnerabilities, exploits, malware variants, cybersecurity risks and information security courses, feel free to access the International Cyber Security Institute (IICS) website.