National CSIRT-CY | National Computer Security Incident Response Team of Cyprus

Η Εθνική Ομάδα Αντιμετώπισης Ηλεκτρονικών Επιθέσεων προβλέπει την αύξηση της ηλεκτρονικής ασφαλείας ενισχύοντας την προστασία του κυβερνοχώρου των Εθνικών Κρίσιμων Πληροφοριακών Υποδομών, των τραπεζών και των παροχών επικοινωνίας της Κυπριακής Δημοκρατίας.

Authorities Seize Dark-Web Site Linked to the Netwalker Ransomware

28 Ιανουαρίου 2021

U.S. and Bulgarian authorities this week took control of the dark web site used by the NetWalker ransomware cybercrime group to publish data stolen from its victims.

“We are striking back against the growing threat of ransomware by not only bringing criminal charges against the responsible actors, but also disrupting criminal online infrastructure and, wherever possible, recovering ransom payments extorted from victims,” said Acting Assistant Attorney General Nicholas L. McQuaid of the Justice Department’s Criminal Division.

“Ransomware victims should know that coming forward to law enforcement as soon as possible after an attack can lead to significant results like those achieved in today’s multi-faceted operation.”

In connection with the takedown, a Canadian national named Sebastien Vachon-Desjardins from the city of Gatineau was charged in the U.S. state of Florida for extorting $27.6 million in cryptocurrency from ransom payments.

Separately, the Bulgarian National Investigation Service and General Directorate Combating Organized Crime seized a dark web hidden resource used by NetWalker ransomware affiliates — i.e., cybercrime groups responsible for identifying and attacking high-value victims using the ransomware — to provide payment instructions and communicate with victims.


Visitors to the website will now be greeted by a seizure banner notifying them that it has been taken over by law enforcement authorities.

Chainalysis, which aided in the investigation, said it has “traced more than $46 million worth of funds in NetWalker ransoms since it first came on the scene in August 2019,” adding “it picked up steam in mid-2020, growing the average ransom to $65,000 last year, up from $18,800 in 2019.”

In recent months, Netwalker emerged as a popular choice of ransomware strain besides Ryuk, Maze, Doppelpaymer, and Sodinokibi, with numerous companies, municipalities, hospitals, schools, and universities targeted by the cybercriminals to extort victims.

Before the takedown, the NetWalker administrator, who goes by the moniker “Bugatti” on darknet forums, is said to have posted an advertisement in May 2020 looking for additional Russian-speaking affiliates as part of a transition to a ransomware-as-a-service (RaaS) model, using the partners to compromise targets and steal data before encrypting the files.

The NetWalker operators have also been part of a growing ransomware trend called double extortion, where the attackers hold the stolen data hostage and threaten to publish the information should the target refuse to pay the ransom.

netwalker 1

“After a victim pays, developers and affiliates split the ransom,” the U.S. Department of Justice (DoJ) said.

Chainalysis researchers suspect that besides involving in at least 91 attacks using NetWalker since April 2020, Vachon-Desjardins worked as an affiliate for other RaaS operators such as Sodinokibi, Suncrypt, and Ragnarlocker.

The NetWalker disruption comes on the same day that European authorities announced a coordinated takedown targeting the Emotet crimeware-as-a-service network. The botnet has been used by several cybercrime groups to deploy second-stage malware — most notably Ryuk and TrickBot.

The information contained in this website is for general information purposes only. The information is gathered from THE HACKER NEWS, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

ENISA: Cyber threats require heightened defences

#CyberSecMonth 2017 - Cyber Security in the Home