NetWalker, a notorious form of ransomware-as-a-service, has been targeted by the American Department of Justice (DoJ) in a recent coordinated international law enforcement action. Court documents report the growth of a network of affiliates identifying high value targets and developers boosting the capabilities of NetWalker for ransomware attacks. Victims have spanned a range of sectors including companies, hospitals, law enforcement, schools, universities and more. During COVID-19 the ransomware specifically targeted the health care sector.
The Acting Assistance Attorney General Nicholas L. McQuaid of the DoJ's Criminal Division announced that:
We are striking back against the growing threat of ransomware by not only bringing criminal charges against the responsible actors, but also disrupting criminal online infrastructure and, wherever possible, recovering ransom payments extorted from victims.
The DoJ has since seized USD$454,530 in digital currency which was made up of payments made for 3 different ransomware attacks showing once again, that digital currency is not an anonymous pathway for criminals, but rather leaves a clear transaction path to be followed.
The law enforcement action was coordinated with various actors including authorities in Bulgaria that recently seized a dark web resource that developers and affiliates of the NetWalker ransomware used to launch their attacks. Chainalysis, a blockchain analysis company, announced that it also assisted in the investigation including by tracing more than $46 million worth of funds paid in NetWalker ransoms since 2019.
Chainalysis' reporting underscores show how the pseudonymity of the blockchain can allow for radical transparency in ransomware investigations as they could point to "at least 305 victims from 27 different countries including 203 in the U.S.". This aligns with U.S. Attorney Maria Chapa Lopez for the Middle District of Florida's sentiments that:
While these individuals believe they operate anonymously in the digital space, we have the skill and tenacity to identify and prosecute these actors to the full extent of the law and seize their criminal proceeds.
As ransomware continues to tap into new vulnerabilities that are being discovered as workplaces remain largely dependent on remote working, it is important that coordinated approaches continue.
This is a key demonstration of how important international cooperation is in tackling international crime.