In partnership with Bulgarian authorities, the US Department of Justice (DOJ) has disrupted the infrastructure of a known ransomware gang. Law enforcement officers seized their servers and trained the illegal funds using blockchain forensic analysis via Chainalysis.
US authorities seized more than $ 454,000 worth of cryptocurrencies
According to the United States Department of Justice Announcement, the coordinated action wiped out Netwalker, a highly active ransomware group over the past year, specifically targeting healthcare.
US authorities have also indicted a Canadian citizen, Sébastien Vachon-Desjardins, who is said to have obtained $ 27.6 million as a “Netwalker affiliate”.
Authorities seized a server hosting their site on the dark web, where the gang was diverting their victims to arrange ransom negotiations. Additionally, the US DOJ said that $ 454,530.19 worth of cryptocurrency was seized from ransom.
With the support of blockchain analysis, law enforcement took advantage of Chainalysis research tools to track Netwalker transactions. In fact, the blockchain company had tracked more than $ 46 million in Netwalker ransom funds since it first hit the scene in August 2019.
US authorities believe the ransomware gang attacked 205 victims from 27 different countries in its lifetime, including 203 in the US.
Brett Callow, threat analyst at Emsisoft malware lab, spoke to news.Bitcoin.com about the authorities’ action against Netwalker:
Ransomware groups have been operating with near-total impunity for a long time, which means there is little deterrence. The rewards are huge, while the risks are small. The action against Netwalker changes that. In addition to disrupting the group’s revenue stream, it also sends a clear signal that cyber criminals are not beyond the scope of the law. Will that create a deterrent? No, but it is certainly a step in the right direction.
Netwalker ransomware works with an affiliate program, where external people can deploy the ransomware and share revenue with the gang. Chainalysis takes a closer look at what the blockchain analysis revealed about the infrastructure:
Typically, there are four roles that receive revenue from Netwalker attacks: the likely administrator or developer (8-10%), the affiliate (76-80%), and two commissioned roles (2.5% -5% each). An affiliate company, such as Vachon-Desjardins, is usually responsible for gaining access to the victim’s network and deploying the malware. There are also instances where one wallet receives 100% of the payment, which we believe is from the Netwalker administrator and indicates that he or she may also be directly involved in some of the attacks.
The analytics firm says there were less than 20 unique affiliates. Some of them rarely implemented the ransomware, while others moved to other similar ransomware variants. That’s why a tool used by authorities called Chainalysis Reactor tracked payments received by the affiliates from other variants.
To confirm the fact that some affiliates have moved to other types, Chainalysis found that the Netwalker administrator had posted an ad on darknet forums. The manager was looking for new partners because vacancies ‘had become vacant’.
Tracing a suspected Netwalker branch
On how the authorities traced Vachon-Desjardins’ activities, Chainalysis explained:
Blockchain analysis revealed that at least 345 addresses are associated with Vachon-Desjardins dating back to February 2018 with transactions continuing up to the date of this writing (January 27, 2021). He reportedly received more than $ 14 million worth of bitcoin at the time of receiving the funds, and would end up owning at least $ 27.6 million given its rising value.
Citing government partners, Chainalysis claims that Vachon-Desjardins has been involved in at least 91 attacks with the Netwalker ransomware since April 2020, deploying the malware as an affiliate and receiving 80% of the ransom. The analytics company also suspects that the alleged Netwalker affiliate was involved in the deployment of other types of ransomware.
What do you think about this massive operation against the Netwalker ransomware gang? Let us know in the comments below.
Image Credits: Shutterstock, Pixabay, Wiki Commons