DOJ Launches International Law Enforcement Action Against NetWalker Ransomware

The Department of Justice (DOJ) announced Wednesday that it launched a coordinated international law enforcement action effort against NetWalker, what it called “a sophisticated form of ransomware.”

The DOJ claimed that the NetWalker ransomware has affected numerous victims, such as “companies, municipalities, hospitals, law enforcement, emergency services, school districts, colleges, and universities.” According to the Department, the ransomware attacks have “specifically targeted the healthcare sector during the COVID-19 pandemic, taking advantage of the global crisis to extort victims.”

The DOJ explained that it brought charges against a Canadian national regarding the attacks where more than $27.6 million was purportedly obtained. Other actions included the seizure of ransomware payments including approximately $454,530.19 in cryptocurrency from three separate attacks and the disabling of a “dark web hidden resource used to communicate with NetWalker ransomware victims.”

According to court documents, NetWalker “operates as a so-called ransomware-as-a-service model, featuring ‘developers’ and ‘affiliates.’ ” In particular, the developers allegedly create and update the ransomware, while making it available to affiliates, who identify and attack “high-value victims” with the ransomware; once the victim pays the ransom, the developers and affiliates split it. The DOJ, citing the affidavit, stated that “once a victim’s computer network is compromised and data is encrypted, actors that deploy NetWalker deliver a file, or ransom note, to the victim. Using Tor, a computer network designed to facilitate anonymous communication over the internet, the victim is then provided with the amount of ransomware demanded and instructions for payment .”

The DOJ contended that unauthorized access to a victim’s computer network often happened days or weeks before the bad actors deployed NetWalker and the ransom note. Reportedly, during this time, the bad actors “surreptitiously elevate their privileges within the network while spreading the ransomware from workstation to workstation. They then send the ransom note only once they are satisfied that they have sufficiently infiltrated the victim’s network to extort payment.”

The DOJ added that Bulgarian authorities seized a dark web hidden resource this week that NetWalker ransomware affiliates used to provide payment instruction and communicate with victims; visitors to the hidden resource will now find a seizure banner notifying them that it has been seized by authorities.

“We are striking back against the growing threat of ransomware by not only bringing criminal charges against the responsible actors, but also disrupting criminal online infrastructure and, wherever possible, recovering ransom payments extorted from victims,” acting Assistant Attorney General Nicholas L. McQuaid of the Justice Department’s Criminal Division said. “Ransomware victims should know that coming forward to law enforcement as soon as possible after an attack can lead to significant results like those achieved in today’s multi-faceted operation.”

“This case illustrates the FBI’s capabilities and global partnerships in tracking ransomware attackers, unmasking them, and holding them accountable for their alleged criminal actions,” said Special Agent in Charge Michael F. McPherson of the FBI’s Tampa Field Office.

The DOJ stated that the investigation was led by the FBI’s Tampa field office. Additionally, attorneys from the Criminal Division’s Computer Crime and Intellectual Property Section and the U.S. Attorney’s Office for the Middle District of Florida were involved in the case. Assistance also was provided by the DOJ’s Office of International Affairs, the Bulgarian National Investigation Service, and General Directorate Combating Organized Crime.