{
	"id": "ca1d4255-be33-4b6e-8be9-f05ab0c8c034",
	"created_at": "2026-04-06T03:35:35.02456Z",
	"updated_at": "2026-04-10T03:23:51.219192Z",
	"deleted_at": null,
	"sha1_hash": "6f38bd19271ef85317d340c2db3aa03fe2575836",
	"title": "Department of Justice Launches Global Action Against NetWalker Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 36992,
	"plain_text": "Department of Justice Launches Global Action Against NetWalker\r\nRansomware\r\nPublished: 2021-01-27 · Archived: 2026-04-06 03:25:16 UTC\r\nThe Department of Justice today announced a coordinated international law enforcement action to disrupt a\r\nsophisticated form of ransomware known as NetWalker.\r\nNetWalker ransomware has impacted numerous victims, including companies, municipalities, hospitals, law\r\nenforcement, emergency services, school districts, colleges, and universities. Attacks have specifically targeted the\r\nhealthcare sector during the COVID-19 pandemic, taking advantage of the global crisis to extort victims.\r\n“We are striking back against the growing threat of ransomware by not only bringing criminal charges against the\r\nresponsible actors, but also disrupting criminal online infrastructure and, wherever possible, recovering ransom\r\npayments extorted from victims,” said Acting Assistant Attorney General Nicholas L. McQuaid of the Justice\r\nDepartment’s Criminal Division.  “Ransomware victims should know that coming forward to law enforcement as\r\nsoon as possible after an attack can lead to significant results like those achieved in today’s multi-faceted\r\noperation.”\r\nThe NetWalker action includes charges against a Canadian national in relation to NetWalker ransomware attacks\r\nin which tens of millions of dollars were allegedly obtained, the seizure of approximately $454,530.19 in\r\ncryptocurrency from ransom payments, and the disablement of a dark web hidden resource used to communicate\r\nwith NetWalker ransomware victims.\r\n“This action reflects the resolve of the U.S. Attorney’s Office for the Middle District of Florida to target and\r\ndisrupt sophisticated, international cybercrime schemes,” said U.S. Attorney Maria Chapa Lopez for the Middle\r\nDistrict of Florida.  “While these individuals believe they operate anonymously in the digital space, we have the\r\nskill and tenacity to identify and prosecute these actors to the full extent of the law and seize their criminal\r\nproceeds.”\r\nAccording to court documents, NetWalker operates as a so-called ransomware-as-a-service model, featuring\r\n“developers” and “affiliates.” Developers are responsible for creating and updating the ransomware and making it\r\navailable to affiliates. Affiliates are responsible for identifying and attacking high-value victims with the\r\nransomware, according to the affidavit. After a victim pays, developers and affiliates split the ransom.\r\n“This case illustrates the FBI’s capabilities and global partnerships in tracking ransomware attackers, unmasking\r\nthem, and holding them accountable for their alleged criminal actions,” said Special Agent in Charge Michael F.\r\nMcPherson of the FBI’s Tampa Field Office. “If you are a victim of ransomware, contact your local FBI field\r\noffice or submit a tip to tips.fbi.gov. You can also file a complaint with the FBI’s Internet Crime Complaint Center\r\nat www.ic3.gov.”\r\nSeizure page of dark web hidden resource used to communicate with NetWalker ransomware victims.\r\nhttps://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware\r\nPage 1 of 2\n\nAccording to the affidavit, once a victim’s computer network is compromised and data is encrypted, actors that\r\ndeploy NetWalker deliver a file, or ransom note, to the victim. Using Tor, a computer network designed to\r\nfacilitate anonymous communication over the internet, the victim is then provided with the amount of ransom\r\ndemanded and instructions for payment.\r\nActors that deploy NetWalker commonly gain unauthorized access to a victim’s computer network days or weeks\r\nprior to the delivery of the ransom note. During this time, they surreptitiously elevate their privileges within the\r\nnetwork while spreading the ransomware from workstation to workstation. They then send the ransom note only\r\nonce they are satisfied that they have sufficiently infiltrated the victim’s network to extort payment, according to\r\nthe affidavit.\r\nAccording to an indictment unsealed today, Sebastien Vachon-Desjardins of Gatineau, a Canadian national, was\r\ncharged in the Middle District of Florida. Vachon-Desjardins is alleged to have obtained at least over $27.6\r\nmillion as a result of the offenses charged in the indictment.\r\nThe Justice Department further announced that on Jan. 10, law enforcement seized approximately $454,530.19 in\r\ncryptocurrency, which was comprised of ransom payments made by victims of three separate NetWalker\r\nransomware attacks.\r\nThis week, authorities in Bulgaria also seized a dark web hidden resource used by NetWalker ransomware\r\naffiliates to provide payment instructions and communicate with victims. Visitors to the resource will now find a\r\nseizure banner that notifies them that it has been seized by law enforcement authorities.\r\nThe investigation was led by the FBI’s Tampa field office.\r\nTrial Attorneys S. Riane Harper and Brian Mund of the Criminal Division’s Computer Crime and Intellectual\r\nProperty Section and Assistant U.S. Attorneys Carlton C. Gammons and Suzanne Nebesky of the U.S. Attorney’s\r\nOffice for the Middle District of Florida are prosecuting the case against Vachon-Desjardins.\r\nSubstantial assistance was provided by the Department of Justice’s Office of International Affairs. Additionally,\r\nthe Bulgarian National Investigation Service and General Directorate Combating Organized Crime provided\r\nsubstantial assistance in the seizure of the dark web hidden resource.\r\nAn indictment is merely an allegation. A defendant is presumed innocent until proven guilty beyond a reasonable\r\ndoubt in a court of law.\r\nSource: https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware\r\nhttps://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware"
	],
	"report_names": [
		"department-justice-launches-global-action-against-netwalker-ransomware"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775446535,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6f38bd19271ef85317d340c2db3aa03fe2575836.pdf",
		"text": "https://archive.orkl.eu/6f38bd19271ef85317d340c2db3aa03fe2575836.txt",
		"img": "https://archive.orkl.eu/6f38bd19271ef85317d340c2db3aa03fe2575836.jpg"
	}
}