Netwalker ransomware dark web sites seized by law enforcement

[mood]

Netwalker ransomware dark web sites seized by law enforcement

 

 

The dark web websites associated with the Netwalker ransomware operation have been seized by law enforcement from the USA and Bulgaria.

 

Netwalker is a Ransomware-as-a-Service (RaaS) operation that began operating in late 2019, where affiliates are enlisted to distribute the ransomware and infect victims in return for a 60-75% share of ransom payments.

 

This ransomware operation proved to be very profitable for the threat actors, with an August report estimating that they generated $25 million in just five months.

 

Today, the Netwalker ransomware Tor payment and data leak sites were seized by law enforcement and now display a seizure notice from the FBI and Bulgarian law enforcement.

 

Netwalker website seizure notice

 

The seizure notice states that the takedown was conducted by the US DOJ, the FBI, Bulgarian National Investigation Service, and Bulgaria's General Directorate Combating Organized Crime.

"This hidden site has been seized by the Federal Bureau of Investigation, as part of a coordinated law enforcement action taken against the NetWalker Ransomware."

"The action has been taken in coordination with the United States Attorney's Office for the Middle District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice, with substantial assistance from the Bulgarian National Investigation Service and General Directorate Combating Organized Crime," the website seizure notice reads.

 

At this time, the FBI has not released any information on the takedown, so it is not clear if law enforcement was able to retrieve decryption keys as part of this operation or if arrests have been made.

 

With Netwalker being one of the most active ransomware families currently operating, access to decryption keys could allow many victims to recover their files for free.

 

The recovery of decryption keys would also be a massive win for law enforcement as ransomware operations have been remarkably resistant to disruption.

 

Some of the high-profile victims targeted by Netwalker include Equinix, Enel Group, the Argentian immigration agency, University of California San Francisco (UCSF), and K-Electric.

 

BleepingComputer has contacted the FBI with further questions.

 

 

Source: Netwalker ransomware dark web sites seized by law enforcement

[Karlston]

US charges NetWalker ransomware affiliate, seizes ransom payments

 

The U.S. Justice Department announced today the disruption of the Netwalker ransomware operation and the indictment of a Canadian national for alleged involvement in the file-encrypting extortion attacks.

 

Earlier today, BleepingComputer reported that law enforcement in the U.S. and Bulgaria seized Netwalker sites on the dark web used for leaking data from non-paying victims and for negotiating payments for data decryption.

 

In a press release published minutes ago, the DOJ confirms the success of the takedown effort in cooperation with the Bulgarian National Investigation Service and General Directorate Combating Organized Crime.

Netwalker affiliate charged

Despite starting in late 2019, Netwalker ransomware operation caused financial losses of tens of millions of US dollars. A report in August 2020 notes that the actors made $25 million in just five months of activity.

 

Apart from seizing the dark web sites, the DOJ says that Canadian national Sebastien Vachon-Desjardins of Gatineau was charged in relation to Netwalker ransomware attacks.

 

It is alleged that Desjardins obtained more than $27.6 million from the extortion activity. His role in the operation began at least in April 2020, indicating that he is an affiliate and not part of the developer crew.

 

“According to an indictment unsealed today, Sebastien Vachon-Desjardins of Gatineau, a Canadian national, was charged in the Middle District of Florida. Vachon-Desjardins is alleged to have obtained at least over $27.6 million as a result of the offenses charged in the indictment.”

 

The model that most ransomware developers follow for their operations is to deploy a service and recruit affiliates like Desjardins who find high-value victims, breach them and deploy Netwalker on their systems. The ransom money is then split between the two partners, with affiliates taking the largest cut.

 

On January 10, law enforcement was able to seize a little over $450,000 in cryptocurrency that represented ransom payments from three distinct Netwalker victims.

 

Netwalker has encrypted systems to some high-profile victims, including Equinix, Enel Group, the Argentian immigration agency, University of California San Francisco (UCSF), and K-Electric.

 

The threat actors also attacked municipalities, hospitals, law enforcement organizations, emergency services, school districs, colleges, and universities.

 

This operation does not mean it’s the end of the Netwalker operation but it’s definitely a step closer. Other affiliates exist and given how profitable this illegal business is, developers have plenty of candidates to choose from.

 

 

US charges NetWalker ransomware affiliate, seizes ransom payments

[mood]

Arrest, Seizures Tied to Netwalker Ransomware

 

U.S. and Bulgarian authorities this week seized the darkweb site used by the NetWalker ransomware cybercrime group to publish data stolen from its victims. In connection with the seizure, a Canadian national suspected of extorting more than $27 million through the spreading of NetWalker was charged in a Florida court.

 

The victim shaming site maintained by the NetWalker ransomware group, after being seized by authorities this week.

 

NetWalker is a ransomware-as-a-service crimeware product in which affiliates rent access to the continuously updated malware code in exchange for a percentage of any funds extorted from victims. The crooks behind NetWalker used the now-seized website to publish personal and proprietary data stolen from their prey, as part of a public pressure campaign to convince victims to pay up.

 

NetWalker has been among the most rapacious ransomware strains, hitting at least 305 victims from 27 countries — the majority in the United States, according to Chainalysis, a company that tracks the flow virtual currency payments.

“Chainalysis has traced more than $46 million worth of funds in NetWalker ransoms since it first came on the scene in August 2019,” the company said in a blog post detailing its assistance with the investigation. “It picked up steam in mid-2020, growing the average ransom to $65,000 last year, up from $18,800 in 2019.”

 

Image: Chainalysis

 

In a statement on the seizure, the Justice Department said the NetWalker ransomware has impacted numerous victims, including companies, municipalities, hospitals, law enforcement, emergency services, school districts, colleges, and universities. For example, the University of California, San Francisco paid $1.14 million last summer in exchange for a digital key needed to unlock files encrypted by the ransomware.

“Attacks have specifically targeted the healthcare sector during the COVID-19 pandemic, taking advantage of the global crisis to extort victims,” the DOJ said.

U.S. prosecutors say one of NetWalker’s top affiliates was Sebastien Vachon-Desjardins, of Gatineau, in Ottawa, Canada. An indictment unsealed today in Florida alleges Vachon-Desjardins obtained at least $27.6 million from the scheme.

 

The DOJ’s media advisory doesn’t mention the defendant’s age, but a 2015 report in the Gatineau local news website ledroit.com suggests this may not be his first offense. According to the story, a then-27-year-old Sebastien Vachon-Desjardins was sentenced to more than three years in prison for drug trafficking: He was reportedly found in possession of more than 50,000 methamphetamine tablets.

 

The NetWalker action came on the same day that European authorities announced a coordinated takedown targeting the Emotet crimeware-as-a-service network. Emotet is a pay-per-install botnet that is used by several distinct cybercrime groups to deploy secondary malware — most notably the ransomware strain Ryuk and Trickbot, a powerful banking trojan.

 

The NetWalker ransomware affiliate program kicked off in March 2020, when the administrator of the crimeware project began recruiting people on the dark web. Like many other ransomware programs, NetWalker does not permit affiliates to infect systems physically located in Russia or in any other countries that are part of the Commonwealth of Independent States (CIS) — which includes most of the nations in the former Soviet Union. This is a prohibition typically made by cybercrime operations that are coordinated out of Russia and/or other CIS nations because it helps minimize the chances that local authorities will investigate their crimes.

 

The following advertisement (translated into English by cybersecurity firm Intel 471) was posted by the NetWalker affiliate program manager last year to a top cybercrime forum. It illustrates the allure of the ransomware affiliate model, which handles everything from updating the malware to slip past the latest antivirus updates, to leasing space on the dark web where affiliates can interact with victims and negotiate payment. The affiliate, on the other hand, need only focus on finding new victims.

 

We are recruiting affiliates for network processing and spamming.
We are interested in people whose priority is quality and not quantity.
We prefer candidates who can work with large networks and have their own access to them.
We are going to recruit a limited number of affiliates and then close the openings until they are available again.

 

We offer you prompt and flexible ransomware, a user-friendly admin panel in Tor, an automated service.

 

Encryption of shared accesses: if several users are logged in to the target computer, the ransomware will infect their mapped drives, as well as network resources where those users are logged in — shared accesses/NAS etc.

 

Powershell build. Each build is unique, in that the malware is inside the script – it is not downloaded from the internet. This makes bypassing antivirus protection easier, including Windows Defender (cloud+).

 

A fully automated blog where the victim’s dumped data is directed. The data is published according to your settings. Instant and automated payouts: initially 20 percent, no less than 16 percent.

Accessibility of a crypting service to avoid AV detections.

 

The ransomware has been in use since September 2019 and proved to be reliable. The files encrypted with it cannot be decrypted.

 

Targeting Russia or the CIS is prohibited.

You’ll get all the information about the ransomware as well as terms and conditions after you place an application via PM.

 

Application form:

1) The field you specialize in.
2) Your experience. What other affiliate programs have you been in and what was your profit?
3) How many accesses [to networks] do you have? When are you ready to start? How many accesses do you plan on monetizing?

 

 

Source: Arrest, Seizures Tied to Netwalker Ransomware

[aum]

Authorities Seize Dark-Web Site Linked to the Netwalker Ransomware

 

 

 

U.S. and Bulgarian authorities this week took control of the dark web site used by the NetWalker ransomware cybercrime group to publish data stolen from its victims.

 

"We are striking back against the growing threat of ransomware by not only bringing criminal charges against the responsible actors, but also disrupting criminal online infrastructure and, wherever possible, recovering ransom payments extorted from victims," said Acting Assistant Attorney General Nicholas L. McQuaid of the Justice Department's Criminal Division.

 

"Ransomware victims should know that coming forward to law enforcement as soon as possible after an attack can lead to significant results like those achieved in today's multi-faceted operation."

 

In connection with the takedown, a Canadian national named Sebastien Vachon-Desjardins from the city of Gatineau was charged in the U.S. state of Florida for extorting $27.6 million in cryptocurrency from ransom payments.

 

Separately, the Bulgarian National Investigation Service and General Directorate Combating Organized Crime seized a dark web hidden resource used by NetWalker ransomware affiliates — i.e., cybercrime groups responsible for identifying and attacking high-value victims using the ransomware — to provide payment instructions and communicate with victims.

 

 

Visitors to the website will now be greeted by a seizure banner notifying them that it has been taken over by law enforcement authorities.

 

Chainalysis, which aided in the investigation, said it has "traced more than $46 million worth of funds in NetWalker ransoms since it first came on the scene in August 2019," adding "it picked up steam in mid-2020, growing the average ransom to $65,000 last year, up from $18,800 in 2019."

 

In recent months, Netwalker emerged as a popular choice of ransomware strain besides Ryuk, Maze, Doppelpaymer, and Sodinokibi, with numerous companies, municipalities, hospitals, schools, and universities targeted by the cybercriminals to extort victims.

 

Before the takedown, the NetWalker administrator, who goes by the moniker "Bugatti" on darknet forums, is said to have posted an advertisement in May 2020 looking for additional Russian-speaking affiliates as part of a transition to a ransomware-as-a-service (RaaS) model, using the partners to compromise targets and steal data before encrypting the files.

 

The NetWalker operators have also been part of a growing ransomware trend called double extortion, where the attackers hold the stolen data hostage and threaten to publish the information should the target refuse to pay the ransom.

 

 

"After a victim pays, developers and affiliates split the ransom," the U.S. Department of Justice (DoJ) said.

Chainalysis researchers suspect that besides involving in at least 91 attacks using NetWalker since April 2020, Vachon-Desjardins worked as an affiliate for other RaaS operators such as Sodinokibi, Suncrypt, and Ragnarlocker.

 

The NetWalker disruption comes on the same day that European authorities announced a coordinated takedown targeting the Emotet crimeware-as-a-service network. The botnet has been used by several cybercrime groups to deploy second-stage malware — most notably Ryuk and TrickBot.

 

Source