Darkweb Site Used by NetWalker Ransomware Group Seized By Authorities

The dark web site utilized by the NetWalker ransomware gang has been seized by U.S. and Bulgarian security agencies, according to a recent report.

The ransomware gang used the site to publish stolen data from victims of their hacking activities. Similarly, authorities have charged a Canadian national in connection to the seizure in a Florida court. The accused was believed to have extorted over $27 million from victims via the spread of the NetWalker malware and subsequent ransom demand.

The NetWalker ransomware group started its operation around September 2019. The group uses affiliates to distribute ransomware and infect victims while receiving about 75% share of the ransomware payments and giving the remaining to the affiliates.

The threat actors responsible for the ransomware operation profited immensely from their tactics. Some reports revealed that the group generated about $25 million within five months last year.

The acting Assistant Attorney General at the criminal division of the Justice Department Nicholas McQuaid commented on the recent raid and seizure of the dark web.

According to him , the agencies are serious about bringing criminal charges against those responsible for the ransomware extortion. He also states that the goal is to destroy the online infrastructure of cybercriminals and recover ransom payments already made by the victims.

McQuaid also stated that the ransomware victims should come forward to law enforcement immediately after a ransomware attack to help deal with the issue successfully.

He reiterated that the recent successful efforts to apprehend the perpetrators are a result of the victim’s switch action to reach authorities.

While the U.S. authorities convicted a member of the Netwalker ransomware group, the Bulgarian authorities were able to seize the dark web site used by the gangs.

The operation was a collaboration between both authorities, and it was deemed successful. According to the report on the seizure, the takedown activity was carried out by Bulgarian National Investigation Service, the FBI, and the U.S. DOJ.

As of press time, the FBI has not commented about the seizure or released any statement about it. So it’s still unclear whether law enforcement succeeded in retrieving decryption keys from the ransomware gangs .

NetWalker has been very active in the ransomware space, as it has gained access to several data and decryption keys. However, if authorities can recover these decryption keys, it will be a major win for the fight against cybercriminals .

Also, the victims can recover their files without paying the unusually high amount they would have paid as ransom.

The NetWalker ransomware has a long list of victims it has targeted. Some of the attacks were successful while few others were controlled before any meaningful data was stolen.

But the ransomware gang has targeted high-profile victims as well. These include K-Electric, the University of California San Francisco (UCSF), the Argentina immigration agency, Enel Group, as well as Equinix.

Following the seizure of the website, the visitors to the site will be notified through a banner on the site, telling them that the site has been seized by law enforcement.

According to security research firm Chainanalysis, which assisted in the investigation, NetWalker ransom has generated more than $46 million from victims since the group started operating

“it picked up steam in mid-2020, growing the average ransom to $65,000 last year, up from $18,800 in 2019,” Chainanalysis added.

Netwalker has been growing in popularity along with the other ransomware strains like Sodinokibi, Doppelpaymer, Maze, and Ryuk.

These groups have been responsible for severe ransomware attacks on several companies, universities, schools, hospitals, as well as government institutions. In most cases, they use Bitcoin and cryptocurrencies as a medium of ransom payments to keep their identity safe.

The NetWalker ransomware gang also participates in a growing ransomware trend known as double extortion. The attacker withholds the stolen data and threatens to publish it if the victim fails to pay the ransom.  Once the victim pays, both the affiliates and the developers share the realized fund in a previously agreed ratio.

They sometimes demand an additional fund if the first ransom was delivered swiftly. In some cases, they collect the ransom from the victims and still go-ahead to publish them to gain more money.