Justice Department Brings Prolific Ransomware NetWalker to Book

Justice Department Brings Prolific Ransomware NetWalker to Book

.Ransomware attacks seem to have become an unavoidable risk of doing business over the last few years. Cunning and proactive ransomware gangs have also pounced on the opportunity provided by the COVID-19 pandemic to alter their tactics and extort vulnerable targets. The Netwalker Ransomware is one such example.

However, authorities are fighting back. In a rare development, the United States Justice Department managed to disrupt a highly active ransomware gang’s operations and bring charges in a court of law.

What is NetWalker?

NetWalker was created by the ransomware gang Circus Spider (part of the Mummy Spider) cybercriminal group, in 2019. As far as ransomware goes, it’s a relatively straightforward piece of malware, although highly effective.

NetWalker relies mainly on phishing and spear phishing to entice victims to download and run malicious attachments. During the COVID-19 pandemic, a file named CORONAVIRUS_COVID-19.vbs was one of their favorite calling cards. Once it’s opened, the ransomware will be installed and start encrypting as well as transmitting sensitive data.

This reflects how the human element cannot be ignored when securing your infrastructure and resources.


LIFARS Phishing Attack Simulation involves experts launching targeted phishing campaigns based on real-world scenarios to assess your readiness to deal with these challenges and provide recommendations on improving your security measures via technology and training.


The hackers will then threaten to expose the information on extortion sites if not paid, usually in cryptocurrency.

Although not the worst ransomware gangs in recent history, Netwalker was one of the most prolific. They are regarded as one of the most active gangs when looking at the frequency and number of victims who they have threatened to expose on extortion sites.

NetWalker seems to have had a particular preference targeting healthcare facilities and large public institutions. Companies, municipalities, entire school districts, and even law enforcement themselves have fallen victim to this cyberattack. However, opportunistic as these actors tend to be, it used the COVID-19 pandemic to specifically target healthcare providers. Some of its biggest recent victims were:

Lorien Health Systems – An assisted-living facility for seniors, based in Maryland.

Crozer-Keystone Health System – A chain that operates four hospitals in Pennsylvania, Delaware, and New Jersey.

University of California

NetWalker recently adopted a RaaS (Ransomware as a Service) model. This allowed so-called “affiliates” to help its creators identify and extort high-value targets for a share of the profits.

What Happened?

On Wednesday, 27 January 2021, the Department of Justice Office of Public Affairs made a release stating that it had orchestrated “a coordinated international law enforcement action to disrupt a sophisticated form of ransomware known as NetWalker.”  The investigation was led by the FBI’s Tampa field office.

Substantial assistance was attributed to the Department of Justice’s Office of International Affairs as well as the Bulgarian National Investigation Service in what appears to be an internationally coordinated mission.

This is part of a new push by the JDC to not only try and curb ransomware attacks by bringing criminal charges against those responsible but also to disrupt their infrastructure and to try and recover as much of the victim’s extorted money as possible.

This action includes bringing charges against a Canadian national. The charges are in relation to a particular attack where tens of millions of dollars were successfully ransomed. Authorities seized $454,530.19 in cryptocurrency and disabled a Tor resource used to communicate with NetWalker ransomware victims. In the unsealed indictment, Sebastien Vachon-Desjardins was named as the charged individual.

Acting Assistant Attorney General Nicholas L. McQuaid of the Justice Department’s Criminal Division once again reiterated the importance of approaching authorities as soon as possible.  He said, “ransomware victims should know that coming forward to law enforcement as soon as possible after an attack can lead to significant results like those achieved in today’s multi-faceted operation.”

However, we will probably never be truly free of threats like Netwalker Ransomware and its peers. The best defense is a comprehensive campaign with organization-wide buy-in by all stakeholders to put proactive measures in place as well as launch a campaign of education and training to prepare individuals for any incident.




Department of Justice Launches Global Action Against NetWalker Ransomware