Law enforcement officials in the United States and Europe have confiscated the dark websites affiliated with the ransomware activities of NetWalker and prosecuted a Canadian national for the malware.
First spotted in 2019 and also known as Mailto, NetWalker was available as Ransomware-as-a-Service (RaaS) and is blamed for many high-profile attacks, including the hacking of a U.S. public health agency and an Australian transport and logistics firm.
It is also assumed that NetWalker was responsible for breaching the University of California San Francisco (UCSF) network, which cost more than $1 million to recover from the incident. The FBI warned in July of NetWalker assaults targeting government agencies.
McAfee’s security researchers reported the overall revenue generated by NetWalker to have exceeded $25 million by July 2020 in an August 2020 study.
Today in an announcement, the U.S. NetWalker has been used in assaults on health care, hospitals, law enforcement, municipalities, school districts, schools, universities, and private businesses, the Department of Justice said.
“During the COVID-19 pandemic, attacks specifically targeted the healthcare sector, taking advantage of the global crisis to extort victims,” the DoJ reported.
The Department has reported charges related to NetWalker ransomware attacks against Sebastien Vachon-Desjardins of Gatineau, a Canadian national. He is estimated to have earned “at least over $27.6 million” from the crimes listed in the indictment in proceeds.
On Jan. 10, officials confiscated nearly $454,530.19 in bitcoin, consisting of victims’ ransom payments. The Bulgarian authorities managed this week to dismantle the dark websites used by NetWalker operators to connect with victims.
A note is now shown to users to the Tor websites reminding them of the law enforcement action: “This hidden site was seized by the Federal Bureau of Investigation as part of a coordinated action taken against the NetWalker Ransomware by law enforcement.”
Ivan Righi, a cyber threat intelligence analyst at Digital Shadows, reported in response to a investigation that the leak site (where RaaS affiliates made data stolen from their victims public) went down about 9-10 AM (CT).