As part of a coordinated effort, law enforcement from the US and Bulgaria have seized the dark web payment websites associated with the NetWalker ransomware operation. These sites were used by NetWalker ransomware affiliates to provide payment instructions and communicate with victims.

Netwalker is a Ransomware-as-a-Service (RaaS) operation, active since late 2019. This cybercrime business model involves so called “developers” and “affiliates”. Developers are responsible for creating and updating the ransomware and making it available to affiliates, who, in turn, are using it to attack high-value victims. Once a ransom is paid, the funds are split among all parties involved.

“NetWalker ransomware has impacted numerous victims, including companies, municipalities, hospitals, law enforcement, emergency services, school districts, colleges, and universities, and even the healthcare sector during the COVID-19 pandemic, taking advantage of the global crisis to extort victims,” according to the US Department of Justice.

The law enforcement also seized around $454,530.19 in cryptocurrency, which was comprised of ransom payments made by victims of three separate NetWalker ransomware attacks.

The DoJ also announced the indictment of Sebastien Vachon-Desjardins of Gatineau, a Canadian national in relation to NetWalker ransomware attacks in which tens of millions of dollars were allegedly obtained.

The indictment alleges that Vachon-Desjardins obtained at least over $27.6 million as a result of the illicit activities. He was part of the operation since at least April 2020 and appears to be an affiliate and not part of the developer group.