In cooperation with the Bulgarian authorities, the US Department of Justice (DOJ) destroyed the infrastructure of a famous ransomware gang. Law enforcement officers confiscated their servers and tracked illegal funds through Chainalysis with the help of blockchain forensic analysis.
U.S. authorities seized cryptocurrencies worth more than $454,000
According to an announcement from the US Department of Justice, in the past year, coordinated actions have paralyzed Netwalker, an active ransomware organization that specifically targets the healthcare sector.
The US authorities also sued the Canadian national Sebastien Vachon-Desjardins, who allegedly received US$27.6 million as a “Netwalker member.”
The authorities confiscated a server and hosted its website on the dark web, and the gang redirected their victims to a place where ransom negotiations were arranged. In addition, the US Department of Justice stated that it seized $454,530.19 of cryptocurrency from the ransom.
With the support of blockchain analysis, law enforcement agencies use Chainalysis’s investigation tool to track Netwalker transactions. In fact, since its first appearance in August 2019, the blockchain company has traced more than $46 million worth of funds in the Netwalker ransom.
The US authorities believe that the ransomware group targeted 205 victims from 27 different countries in their lifetime, including 203 in the United States
In an interview with news.Bitcoin.com, Brett Callow, a threat analyst at the malware lab Emsisoft, commented on the authorities’ actions against Netwalker:
Ransomware groups have operated with almost total impunity for a long time, which means there is little deterrence. The reward is huge, but the risk is small. The lawsuit against Netwalker changed this. In addition to destroying the group’s source of income, it also sent a clear message that cybercriminals are not beyond the scope of the law. Will this produce a deterrent? No, but this is definitely a step in the right direction.
Netwalker ransomware uses an affiliate program, and outsiders can deploy ransomware and share revenue with gangs. Chainalysis elaborated on what the blockchain analysis of the infrastructure revealed:
Generally, there are four roles that can benefit from Netwalker attacks: possible administrators or developers (8-10%), affiliates (76-80%), and two delegated roles (2.5%-5% for each role) ). Members such as Vachon-Desjardins are usually responsible for gaining access to the victim network and deploying malware. In some cases, a wallet can get 100% of the payment. We believe that the wallet belongs to the Netwalker administrator and indicate that he or she may also be directly involved in certain attacks.
The analyst firm stated that there are fewer than 20 unique branches. Some of them rarely deploy ransomware, while others move to other similar ransomware. This is why the authorities use a tool called Chainalysis Reactor to track payments received by members from other variants.
In order to confirm the fact that some members switched to other viruses, Chainalysis discovered that Netwalker administrators posted advertisements on the Darknet forum. The administrator is looking for new members because the job vacancy “has been released.”
Track suspected Netwalker members
Regarding how the authorities track the activities of Vachon-Desjardins, Chainalysis explained:
Blockchain analysis shows that there are at least 345 addresses related to Vachon-Desjardins dating back to February 2018, and the transaction continues until the date of writing (January 27, 2021). He allegedly received more than 14 million U.S. dollars worth of Bitcoin when he received the funds, and given the increase in value, he eventually owned at least 27.6 million U.S. dollars.
Chainalysis quoted government partners as saying that since April 2020, Vachon-Desjardins has participated in at least 91 attacks using Netwalker ransomware, deployed the malware as a member, and received 80% of the ransom. The analyst firm also suspects that the so-called Netwalker subsidiary is involved in the deployment of other ransomware.
What do you think of the large-scale operation against the Netwalker ransomware group? Let us know in the comments section below.
Picture Credits: Shutterstock, Pixabay, Wiki Commons