DOJ splash page on NetWalker ransomware site

The Department of Justice last week announced a coordinated international law enforcement action against hackers who defrauded a Maryland senior living provider, among other victims, of more than $27 million.

Sebastien Vachon-Desjardins, a Canadian national, was indicted on conspiracy to commit computer fraud, conspiracy to commit wire fraud, intentional damage to a protected computer, and transmitting a demand in relation to damaging a protected computer.

The indictment, filed in the Middle District of Florida, states that Vachon-Desjardins was part of a hacker ring known as NetWalker that extorted at least $27.6 million from companies, municipalities, hospitals, law enforcement, emergency services, school districts, colleges and universities through ransomware attacks.

As McKnight’s Senior Living previously reported, Lorien Health Services, which offers assisted living, skilled nursing and rehabilitation at nine locations in Maryland, was one of NetWalker’s alleged victims. The data breach last summer reportedly exposed the personal information of 47,754 residents.

The Justice Department said the ransomware attacks specifically targeted the healthcare sector during the COVID-19 pandemic, “taking advantage of the global crisis to extort victims.” 

The government was able to seize approximately $454,530.19 in cryptocurrency from ransom payments to Vachon-Desjardins, as well as disable a “dark web” hidden resource used to communicate with NetWalker ransomware victims.

As part of the joint international effort, Bulgarian law enforcement seized computers affiliated with NetWalker. A dark web blog that posted the files of NetWalker victims who refused to pay the ransom now displays a graphic indicating that it was seized by government agencies.

According to court documents, once a victim’s computer network is compromised and data are encrypted, actors that deploy NetWalker deliver a ransom note to the victim. Hackers typically gain unauthorized access to a computer network days or weeks before delivering a ransom note, according to the Justice Department.

The department explained that NetWalker operates a “ransomware-as-a-service model” with developers and affiliates. Developers create and update the ransomware and make it available to affiliates, who identify and attack “high-value victims.” After a victim pays, developers and affiliates split the ransom.

“This case illustrates the FBI’s capabilities and global partnerships in tracking ransomware attackers, unmasking them, and holding them accountable for their alleged criminal actions,” Special Agent in Charge Michael F. McPherson said in a statement.

The investigation was led by the FBI’s Tampa field office, with assistance from the Department of Justice’s Office of International Affairs, the Bulgarian National Investigation Service and General Directorate Combating Organized Crime.