US officials have charged a Canadian man following an investigation into a series of attacks involving the same malware that took down some NWT Power Corporation systems last year.
According to an indictment, Sebastien Vachon-Desjardins of Gatineau, Quebec, has been charged in Florida with conspiracy to commit computer fraud, conspiracy to commit wire fraud, intentional damage to a protected computer, and transmitting a demand in relation to damaging a protected computer.
Court documents allege Vachon-Desjardins was involved in a NetWalker attack on a company in Tampa Bay, Florida, in May. If convicted, he will have to forfeit more than US $27 million he is alleged to have obtained through the attack.
The charges against Vachon-Desjardins have not been proven in court.
While NetWalker was also used against the NWT Power Corporation, the identity of those involved in that particular attack remains unknown.
“We are striking back against the growing threat of ransomware by not only bringing criminal charges against the responsible actors, but also disrupting criminal online infrastructure and, wherever possible, recovering ransom payments extorted from victims,” said Nicholas McQuaid, acting assistant attorney with the US justice department, in a statement.
NetWalker uses what is known as a ransomware-as-a-service model. Developers create and update the ransomware and make it available to international affiliates, who identify and attack victims.
It works by blocking access to a victim’s computer network then threatening to either withhold or publish data until a ransom is paid.
Since August 2019, hackers using NetWalker have targeted dozens of victims including municipalities, hospitals, law enforcement and emergency services, and education institutions.
The NWT Power Corporation was the target of a NetWalker attack in April. A spokesperson for the corporation told Cabin Radio an investigation did not find evidence that attackers stole sensitive information and said the corporation did not pay a ransom.
Documents obtained by Cabin Radio indicate officials still don’t know how hackers accessed the corporation’s systems, nor who was responsible.
On Wednesday, US officials said they seized approximately US $450,000 in cryptocurrency from three separate NetWalker attacks. They also disabled a dark web site hackers had used to communicate with Netwalker victims.
An affidavit from an FBI agent alleges details of an international ransomware network involving cryptocurrency and money laundering.
According to the affidavit, the NetWalker attacks were on three separate US-based companies between May and June who collectively paid a ransom of US $4,213,427 in bitcoin.
Investigators were able to track those ransom payments, which were quickly dispersed among a variety of addresses.
One recipient of the ransom payments deposited bitcoin into an account with Binance Holdings, one of the world’s largest cryptocurrency exchange platforms, which is registered in the Cayman Islands.
The affidavit says that account was registered with a 20-year-old Ukrainian who exchanged the majority of the bitcoin for Tether, another cryptocurrency.
“The anonymity provided by bitcoin, coupled with the series of rapid transfers following the initial transfer of the victim’s ransom payments to the NetWalker payment addresses are consistent with efforts taken to conceal the nature and source of the illicit funds,” the affidavit states.
Authorities in Bulgaria have seized a dark web resource used by NetWalker hackers to provide payment instructions and communicate with victims.
“While these individuals believe they operate anonymously in the digital space, we have the skill and tenacity to identify and prosecute these actors to the full extent of the law and seize their criminal proceeds,” Maria Chapa Lopez, US Attorney for the Middle District of Florida, said in a statement.