Law enforcement agencies from Bulgaria and the US have disrupted the infrastructure of NetWalker, one of the most active ransomware gangs of 2020.
A server that was used to host dark web portals for the NetWalker gang was seized by the Bulgarian officials, while officials in the US indicted a Canadian national who allegedly made at least $27.6 million from infecting companies with the NetWalker ransomware.
The seized servers were used to host pages where victims of NetWalker attacks were redirected to communicate with the attackers and negotiate ransom demands.
The same server also hosted a blog section which contains the leaked data stolen from hacked companies, and which refused to pay the ransom demand.
More details about the Canadian national indicted is not available other than his name and residence — Sebastien Vachon-Desjardins, of Gatineau.
Vachon-Desjardins is currently believed to be an “affiliate,” a person who rented the ransomware code from the NetWalker creator. He was also reported to have worked as an affiliate for other ransomware gangs, such as Sodinokibi, Suncrypt, and RagnarLocker.
This kind of business called Ransomware-as-a-Service, or RaaS, is a common setup employed by many ransomware gangs today.
Before the takedown of the site, NetWalker operated through topics posted on several underground forums by a user named Bugatti. This user advertised the ransomware’s features and looked for “partners” (or affiliates) that would breach corporate networks, steal data to be used as leverage during negotiations, and install the ransomware to encrypt files.
If the victims make the payments, then Bugatti and the affiliate would share the ransom payments according to a pre-negotiated agreement.
As per the US authorities, NetWalker has affected at least 305 victims from 27 different countries which includes 203 in the US.
According to a report from McAfee published in August 2020, the NetWalker ransomware operation made a profit of more than $25 million from ransom payments from March to July 2020 alone.
In a latest report it was stated that the blockchain analysis firm Chainalysis updated that figure to more than $46 million for the entire 2020, making NetWalker among the year’s top 5 grossing ransomware strains, next to Ryuk, Maze, Doppelpaymer, and Sodinokibi.
Besides, the US DOJ managed to seize $454,530.19 in cryptocurrency believed to be linked to ransom payments made by three past NetWalker victims.