Netwalker Ransomware Darknet Website Seized, First Indictment

[German]Next success for law enforcement, as they have seized the servers of the Netwalker ransomware gang's darknet website and charged a "affiliate" from Canada, possibly the head of the gang, from Canada (whether he was arrested is not entirely clear to me, but I suspect he was).


I already came across the following tweet from colleagues at Bleeping Computer yesterday, which contains seizure information. The information about the seizure, which took place in an internationally coordinated action also in the US and Bulgaria, can be found in this statement from the US Department of Justice.

Netwalker ransomware darknet website seized

Background on Netwalker

Netwalker  uses a Ransomware as a Service approach. This means that the cyber criminals provide the tools and infrastructure to place ransomware onto the system of victims in exchange for profit sharing. The group has invited interested cybercriminals on Russian dark web forums to become partners and spread the malware.

A dropper is used to infect the victims' systems and the malware nests. After days or weeks, the actual ransomware is then reloaded and performs its malicious functions such as encrypting the victim's files and extorting ransom. This action is performed on behalf of the cyber criminals who commissioned the extortion, with the netwalkers collecting commission (affiliate model).

The data collected so far indicates that the Netwalker ransomware was created by a Russian-speaking group of hackers. This particular grouping operates under the name Circus Spider. Unfortunately, Netwalker does more than just encrypt victims' data and demand ransom. Circus Spider regularly publishes samples of the data siphoned off during the ransomware infection before encryption in order to build pressure on the victims, it claims that the rest will be published on the dark web if the victim does not fulfill the demands in time. Circus Spider leaked a victim's sensitive data in a password-protected folder to the Dark Web and published the key online, Varonis security researchers write here.


The ransomware was first discovered in September 2019, though timestamps of the ransomware date to late August. It was originally believed to be a threat of the Mailto variant, but has since been found to be an updated version of it. Mailto was discovered by independent cybersecurity researcher and Twitter user GrujaRS, as Heimdal Security reported here.

I had published several blog posts about Netwalker infections (see City of Weiz (Austria): Computers infected with ransomware? for instance). Affiliates are offered a share of up to 84% of the payout if the previous week's sales exceed $300,000. If earnings are below this amount, they can still easily receive around 80% of the total value. The rest of 16-20% goes to the group behind Netwalker. In 2020 there was the information that the Netwalker ransomware group and their clients have already extorted $25 million from their victims in just five months, March 1, 2020.

The NetWalker ransomware has affected numerous victims, including businesses, municipalities, hospitals, law enforcement agencies, emergency services, school districts, colleges, and universities. The attacks specifically targeted the healthcare sector during the COVID-19 pandemic, taking advantage of the global crisis to extort victims.

However, joining this group is subject to its own rules. For example, affiliates are prohibited from taking action against organizations in Russia and the Commonwealth of Independent States. Moreover, it is specified that collaborators must always return the files of the victims who paid the ransom. Still, this is never a guarantee when it comes to ransomware hackers, as you can read at Heimdal Security. More background information can be found in articles from Heimdal Security and Varonis.

Seizure of darknet site and funds

The U.S. Department of Justice(DOJ) just announced, that U.S. law enforcement has led a strike against the Netwalker group. Led by the FBI in Tampa, Florida, the authorities seized the days a hidden dark web resource in Bulgaria. It is a Tor page of the Netwalker ransomware site, through which the payments and data releases were made. The Tor page was also used by NetWalker ransomware affiliates to provide payment information and communicate with victims. Visitors to the site will now find a seizure banner (see above tweet) informing them that it has been seized by law enforcement.

It is unclear whether law enforcement has also come into possession of the keys that could be used to decrypt the victims' files. It is also still unclear whether there have been any arrests of the operators. But there is an indictment. According to the indictment, Sebastien Vachon-Desjardins of Gatineau, Ottawa, a Canadian citizen, was charged in the Middle District of Florida. Vachon-Desjardins allegedly obtained at least $27.6 million through criminal acts, according to the indictment. Brian Krebs writes here, that Vachon-Desjardins was probably arrested in 2015. According to the artcle here, Sebastien Vachon-Desjardins, then 27, was sentenced to more than three years in prison for drug trafficking: He was allegedly in possession of more than 50,000 methamphetamine tablets.

The Justice Department also announced that law enforcement authorities seized some $454,530.19 in cryptocurrency on Jan. 10, made up of ransom payments from victims of three separate NetWalker ransomware attacks. However, it seems that the developers in Russia were not approached. Therefore, the question remains whether successors will be found to carve their own model from the leftovers as well. But it is good that the law enforcers managed to strike a new blow. After the excavation of the emote infrastructure, see the following links, another good news.

Similar articles:
City of Weiz (Austria): Computers infected with ransomware?
German BKA initiate a takedown of Emotet malware infrastructure
Emotet reportedly uninstalls itself on March 25, 2021

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *