With The Help Of Blockchain Analysis, International Operation Disrupts Ransomware Group Netwalker by Tracing Cryptos

What Is Netwalker? 

The US Department of Justice (DOJ) disrupted a well-known ransomware gang’s infrastructure in collaboration with Bulgarian authorities. With the help of blockchain forensic analytics via Chainalysis law enforcement seized their servers and traced the illicit funds. 

Over $454,000 Worth Of Cryptocurrencies Was Seized By US Authorities 

Thereafter attributing to the action taken against Netwalker a highly active ransomware group over the last year which specifically targeted the health care sector per the US Department of Justice’s announcement. 

Who allegedly obtained $27.6 million as a Netwalker affiliate, the US authorities also indicted a Canadian national, Sebastian Vachon-Desjardins. 

Where the gang redirected their victims to arrange the ransom negotiations, the authorities seized a server that hosted their site on the dark web. $454,530.19 in cryptocurrency from ransom payments were seized as the US DOJ said. 

Law enforcement took advantage of investigative tools of Chainalysis to trace Netwalker transactions with the support of blockchain analysis. Since it first came on the scene in August 2019, in fact, the blockchain firm had traced more than $46 million worth of funds in Netwalker ransoms. 

Including 203 in the US, the US authorities believe the ransomware gang targeted 205 victims from 27 different countries during its lifetime.

When it approached the threat analyst at malware lab Emsisoft Brett Callow, it was commented on the authorities’ action against Netwalker recently as the following:

This means there’s a very little deterrent, ransomware groups have operated with almost complete impunity for a very long time. While the risks are small the rewards are enormous. Changing that is the action against Netwalker. It also sends a clear message that cybercriminals are not beyond the reach of the law in addition to disrupting the group’s revenue stream. Is it then possible to create a deterrent? It is certainly a step in the right direction even if the answer is no.   

Where external people could deploy the ransomware and share revenues with the gang, Netwalker ransomware works with an affiliate scheme. On what the blockchain analysis unveiled about the infrastructure Chainalysis elaborates: 

There are typically four roles that then receive proceeds from Netwalker attacks that come to be: the administrator or developer likely (8-10%), the affiliate (76-80%) as well as two commissioned roles (2.5%-5% each). Usually responsible for obtaining access to the victim network and deploying the malware is an affiliate like Vachon-Desjardins. Which we believe belongs to the Netwalker administrator and indicates that he or she may also be directly involved in some of the attacks, there are also cases when one wallet gets 100% of the payment. 

That there were fewer than 20 unique affiliates, was what the analytical firm says. While some moved on to other similar ransomware strains some others rarely deployed the ransomware. Received by the affiliates from other variants, that’s why a tool used by the authorities named Chainalysis Reactor traced payments. 

Chainalysis found out that Netwalker administrator published an advertisement on darknet forums to confirm the fact that some affiliates moved to other strains. As vacancies had freed up the admin was seeking new affiliates. 

Tracing Suspected Netwalker Affiliate

Chainalysis explained the following on how the authorities traced Vachon-Desjardins activities. 

With transactions continuing to the date of this writing which is January 27, 2021, blockchain analysis revealed at least 345 addresses associated with Vachon-Desjardins going back to February 2018.

Ultimately possessing at least $27.6 million given its rising value he allegedly received more than $14 million worth of bitcoin at the time of

receipt of the funds. 

Deploying the malware as an affiliate and receiving 80% of the ransom, citing government partners, Chainalysis claims Vachon-Desjardins was involved in at least 91 attacks using Netwalker ransomware since April 2020. In the deployment of other ransomware strains, the analytical firm also suspects the alleged Netwalker affiliate was involved. 

With ransomware malware, increasing day by day analysts are finding it difficult to track down the origin of such groups on the dark web. It is important to find the effect on many sites as they redirect to such sites on the dark web. Computer specialists have been on the lookout for such people throughout their work lives. 

Finally Winding Up The Discussion On Ransomware Malware

As blockchain analysts come hunting down such sites thereby transacting on cryptocurrencies, many have been located and seized.

So, it is here that the precaution is to be taken as they should not be reached by people transacting in cryptocurrencies. 

Finally, when the US officials have seized a lot of cryptocurrencies from such a ransomware group, they come to the surface from the dark web underneath. So, you have to make sure they don’t prey upon you when you have thereby been located by the group. Take care and exercise caution is all that we ask you to.