In collaboration with Bulgarian authorities, the U.S. Department of Justice (DOJ) disrupted a well-known ransomware gangâ€™s infrastructure. Law enforcement seized their servers and traced the illicit funds with the help of blockchain forensic analytics via Chainalysis.
US Authorities Seized Over $454,000 Worth of Cryptocurrencies
Per the U.S. Department of Justiceâ€™s announcement, the coordinated action took down Netwalker, a highly active ransomware group over the last year, specifically targeting the health care sector.
The U.S. authorities also indicted a Canadian national, Sebastien Vachon-Desjardins, who allegedly obtained $27.6 million as a â€œNetwalker affiliate.â€
The authorities seized a server that hosted their site on the dark web, where the gang redirected their victims to arrange the ransom negotiations. Moreover, the U.S. DOJ said that $454,530.19 in cryptocurrency from ransom payments were seized.
With the support of blockchain analysis, law enforcement took advantage of investigative tools of Chainalysis to trace Netwalker transactions. In fact, the blockchain firm had traced more than $46 million worth of funds in Netwalker ransoms since it first came on the scene in August 2019.
The U.S. authorities believe the ransomware gang targeted 205 victims from 27 different countries during its lifetime, including 203 in the U.S.
Speaking with news.Bitcoin.com, Brett Callow, threat analyst at malware lab Emsisoft, commented on the authoritiesâ€™ action against Netwalker:
Netwalker ransomware works with an affiliate scheme, where external people could deploy the ransomware and share revenues with the gang. Chainalysis elaborates on what the blockchain analysis unveiled about the infrastructure:
The analytical firm says that there were fewer than 20 unique affiliates. Some of them rarely deployed the ransomware, while others moved on to other similar ransomware strains. Thatâ€™s why a tool used by the authorities named Chainalysis Reactor traced payments received by the affiliates from other variants.
To confirm the fact that some affiliates moved to other strains, Chainalysis found out that Netwalker administrator published an advertisement on darknet forums. The admin was seeking new affiliates, as vacancies â€œhad freed up.â€
Tracing Suspected Netwalker Affiliate
On how the authorities traced Vachon-Desjardinsâ€™ activities, Chainalysis explained:
Citing government partners, Chainalysis claims Vachon-Desjardins was involved in at least 91 attacks using Netwalker ransomware since April 2020, deploying the malware as an affiliate and receiving 80% of the ransom. The analytical firm also suspects the alleged Netwalker affiliate was involved in the deployment of other ransomware strains.
What do you think about this massive operation against the Netwalker ransomware gang? Let us know in the comments section below.