{
	"id": "30dc52c5-bd01-41fe-91bb-eee7b6ff66df",
	"created_at": "2026-04-06T00:08:45.419033Z",
	"updated_at": "2026-04-10T03:21:30.998576Z",
	"deleted_at": null,
	"sha1_hash": "6e4d9ddacc3435ed8ed10008ea8defa58d43db2f",
	"title": "Arrest, Seizures Tied to Netwalker Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 590873,
	"plain_text": "Arrest, Seizures Tied to Netwalker Ransomware\r\nPublished: 2021-01-27 · Archived: 2026-04-05 20:57:36 UTC\r\nU.S. and Bulgarian authorities this week seized the darkweb site used by the NetWalker ransomware cybercrime\r\ngroup to publish data stolen from its victims. In connection with the seizure, a Canadian national suspected of\r\nextorting more than $27 million through the spreading of NetWalker was charged in a Florida court.\r\nThe victim shaming site maintained by the NetWalker ransomware group, after being seized by authorities this\r\nweek.\r\nNetWalker is a ransomware-as-a-service crimeware product in which affiliates rent access to the continuously\r\nupdated malware code in exchange for a percentage of any funds extorted from victims. The crooks behind\r\nNetWalker used the now-seized website to publish personal and proprietary data stolen from their prey, as part of a\r\npublic pressure campaign to convince victims to pay up.\r\nNetWalker has been among the most rapacious ransomware strains, hitting at least 305 victims from 27 countries\r\n— the majority in the United States, according to Chainalysis, a company that tracks the flow virtual currency\r\npayments.\r\n“Chainalysis has traced more than $46 million worth of funds in NetWalker ransoms since it first came on the\r\nscene in August 2019,” the company said in a blog post detailing its assistance with the investigation. “It picked\r\nup steam in mid-2020, growing the average ransom to $65,000 last year, up from $18,800 in 2019.”\r\nhttps://krebsonsecurity.com/2021/01/arrest-seizures-tied-to-netwalker-ransomware\r\nPage 1 of 4\n\nImage: Chainalysis\r\nIn a statement on the seizure, the Justice Department said the NetWalker ransomware has impacted numerous\r\nvictims, including companies, municipalities, hospitals, law enforcement, emergency services, school districts,\r\ncolleges, and universities. For example, the University of California, San Francisco paid $1.14 million last\r\nsummer in exchange for a digital key needed to unlock files encrypted by the ransomware.\r\n“Attacks have specifically targeted the healthcare sector during the COVID-19 pandemic, taking advantage of the\r\nglobal crisis to extort victims,” the DOJ said.\r\nU.S. prosecutors say one of NetWalker’s top affiliates was Sebastien Vachon-Desjardins, of Gatineau, in Ottawa,\r\nCanada. An indictment unsealed today in Florida alleges Vachon-Desjardins obtained at least $27.6 million from\r\nthe scheme.\r\nThe DOJ’s media advisory doesn’t mention the defendant’s age, but a 2015 report in the Gatineau local news\r\nwebsite ledroit.com suggests this may not be his first offense. According to the story, a then-27-year-old Sebastien\r\nVachon-Desjardins was sentenced to more than three years in prison for drug trafficking: He was reportedly found\r\nin possession of more than 50,000 methamphetamine tablets.\r\nThe NetWalker action came on the same day that European authorities announced a coordinated takedown\r\ntargeting the Emotet crimeware-as-a-service network. Emotet is a pay-per-install botnet that is used by several\r\ndistinct cybercrime groups to deploy secondary malware — most notably the ransomware strain\r\nRyuk and Trickbot, a powerful banking trojan.\r\nThe NetWalker ransomware affiliate program kicked off in March 2020, when the administrator of the crimeware\r\nproject began recruiting people on the dark web. Like many other ransomware programs, NetWalker does not\r\npermit affiliates to infect systems physically located in Russia or in any other countries that are part of the\r\nCommonwealth of Independent States (CIS) — which includes most of the nations in the former Soviet Union.\r\nhttps://krebsonsecurity.com/2021/01/arrest-seizures-tied-to-netwalker-ransomware\r\nPage 2 of 4\n\nThis is a prohibition typically made by cybercrime operations that are coordinated out of Russia and/or other CIS\r\nnations because it helps minimize the chances that local authorities will investigate their crimes.\r\nThe following advertisement (translated into English by cybersecurity firm Intel 471) was posted by the\r\nNetWalker affiliate program manager last year to a top cybercrime forum. It illustrates the allure of the\r\nransomware affiliate model, which handles everything from updating the malware to slip past the latest antivirus\r\nupdates, to leasing space on the dark web where affiliates can interact with victims and negotiate payment. The\r\naffiliate, on the other hand, need only focus on finding new victims.\r\nWe are recruiting affiliates for network processing and spamming.\r\nWe are interested in people whose priority is quality and not quantity.\r\nWe prefer candidates who can work with large networks and have their own access to them.\r\nWe are going to recruit a limited number of affiliates and then close the openings until they are\r\navailable again.\r\nWe offer you prompt and flexible ransomware, a user-friendly admin panel in Tor, an automated\r\nservice.\r\nEncryption of shared accesses: if several users are logged in to the target computer, the ransomware will\r\ninfect their mapped drives, as well as network resources where those users are logged in — shared\r\naccesses/NAS etc.\r\nPowershell build. Each build is unique, in that the malware is inside the script – it is not downloaded\r\nfrom the internet. This makes bypassing antivirus protection easier, including Windows Defender\r\n(cloud+).\r\nA fully automated blog where the victim’s dumped data is directed. The data is published according to\r\nyour settings. Instant and automated payouts: initially 20 percent, no less than 16 percent.\r\nAccessibility of a crypting service to avoid AV detections.\r\nThe ransomware has been in use since September 2019 and proved to be reliable. The files encrypted\r\nwith it cannot be decrypted.\r\nTargeting Russia or the CIS is prohibited.\r\nYou’ll get all the information about the ransomware as well as terms and conditions after you place an\r\napplication via PM.\r\nApplication form:\r\n1) The field you specialize in.\r\n2) Your experience. What other affiliate programs have you been in and what was your profit?\r\n3) How many accesses [to networks] do you have? When are you ready to start? How many accesses do\r\nyou plan on monetizing?\r\nhttps://krebsonsecurity.com/2021/01/arrest-seizures-tied-to-netwalker-ransomware\r\nPage 3 of 4\n\nSource: https://krebsonsecurity.com/2021/01/arrest-seizures-tied-to-netwalker-ransomware\r\nhttps://krebsonsecurity.com/2021/01/arrest-seizures-tied-to-netwalker-ransomware\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://krebsonsecurity.com/2021/01/arrest-seizures-tied-to-netwalker-ransomware"
	],
	"report_names": [
		"arrest-seizures-tied-to-netwalker-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434125,
	"ts_updated_at": 1775791290,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6e4d9ddacc3435ed8ed10008ea8defa58d43db2f.pdf",
		"text": "https://archive.orkl.eu/6e4d9ddacc3435ed8ed10008ea8defa58d43db2f.txt",
		"img": "https://archive.orkl.eu/6e4d9ddacc3435ed8ed10008ea8defa58d43db2f.jpg"
	}
}