Only a quarter of all NetWalker ransomware victims have reported incidents to law enforcement, according to FBI and Justice Department officials who led the group’s takedown.

Ryan Frampton – a member of the FBI’s Tampa Division Cyber ​​Action Team – and Carlton Gammons – the lead prosecutor for the US Attorney’s Office for the Intermediate District of Florida – spoke at length about their work shutting down the ransomware infrastructure NetWalker at the RSA Conference on Thursday.

The FBI and DOJ were able to obtain a wealth of information on the group after seizing NetWalker’s backend servers in Bulgaria during an investigation throughout 2020.

Frampton said only 115 NetWalker victims had filed reports with the FBI’s IC3 center or their local FBI office. But that number is dwarfed by what they found on the NetWalker servers used to host their TOR site.

The servers contained more than 1,000 “builds” – different versions of the NetWalker ransomware customized for each victim based on an analysis of previously hacked systems.

“We have fully identified over 450 victims in this investigation, but only 115 have actually filed a report. There were 1,500 builds, so the actual number of victims in this case was between 400 and 1,500, and we’ll never know exactly how many there really were,” Frampton said.

“It is important to note that only a quarter of those we have fully identified have actually filed a report. Victims who filed a report said they paid $6.7 million. But if you look at the blockchain research and the information we got from the main server, Netwalker actually extorted almost $60 million. So whatever numbers you see in the audience, it’s probably way higher than that.

Only 15 victims told the FBI they had paid a ransom, but the actual number is more than 200, according to Frampton, who noted that the highest ransom demanded was $12 million and the highest actual payment high was $3 million.

The average ransom demand was $481,000 while the average actual payment was around $196,000. It typically took Netwalker affiliates about nine days from the time they created the specific build to when a victim paid a ransom.

Frampton told the public that the investigation into NetWalker began in late 2019 after a victim reported an incident to the IC3 center.

It escalated dramatically during the COVID-19 pandemic, when NetWalker affiliates made a name for themselves attacking healthcare entities like hospitals, health departments, and medical research institutes, both domestically and internationally. abroad, in March and April 2020.

Most victims waited about 11 days from the time of infection to report a ransomware attack to the FBI, according to Frampton.

Gammons said that based on their investigation of the group, they discovered that 10% of all ransoms went to the developers of the ransomware and 80% went to the affiliates who actually carried out the attack.

The victims were given a link to the group’s TOR site with a code unique to them and from there the victims could communicate with the group, receive the ransom note and find out how long they had before the data was released. be disclosed.

“Initially if you didn’t pay NetWalker they just wouldn’t give you access to your data, but over time that changed to ‘if you don’t pay I’ll release your data,'” Gammons said. .

“I can tell you that we’ve talked to companies and they didn’t want their shareholders or their customers to know they were victims of ransomware. They’d rather do what they want to do internally than let anyone find out they’ve been victimized.

Gammons went on to explain that the access they gained to NetWalker’s servers provided them with a deluge of information about the group’s internal operations. The group kept documents on each victim containing an executable file, a powershell script and a text file identifying the victim.

They “basically had everything you need to commit a ransomware attack and they were customized for each victim,” Gammons explained, adding that for some victims they would have 2-3 versions.

“It was really important because it helped identify who the real victims were. Only a fraction actually reported them. The files contained invoices showing how much people were quoted for their ransom and how much they actually paid,” did he declare.

“He had Bitcoin addresses, Jabber handles, decryption keys. There were dozens of affiliates.

Frampton added that with the access they gained to the decryption keys, he was able to reverse engineer to create a decryptor and provided more than a dozen victims with a decryption utility that allowed them restore their encrypted data.

They found over 10,000 messages from members of the group and discovered that NetWalker was attacking organizations “on every continent except Antarctica”.

Gammons said NetWalker attacked 270 organizations in the United States, 33 in Canada, and dozens more in Hong Kong, Thailand, Sweden, France, Italy, Spain and even the Cayman Islands.

It was this unparalleled access that led them to Sebastien Vachon-Desjardins, a 34-year-old man from Gatineau, Quebec, whom they identified as the most prolific NetWalker affiliate.

In February, he was sentenced in Canada to seven years in prison and was extradited in March to the United States, where he will face multiple charges related to his alleged participation in the ransomware group.

Gammons said he is currently being held in Tampa.

Gammons noted that Vachon-Desjardins was responsible for 157 builds and made 1,595 Bitcoin from ransoms – over $4.5 million.

Surprisingly, Gammons explained that Vachon-Desjardins worked for the Canadian government as an IT employee while carrying out ransomware attacks on behalf of NetWalker.

After gathering a wealth of information about the group and identifying Vachon-Desjardins, Gammons said the Justice Department faced a do-or-wait dilemma.

“We basically have the infrastructure that allows NetWalker ransomware to work. We have identified the main affiliate. We can do law enforcement action, can’t we? We can arrest someone. We can shut down the servers, but that will prevent us from continuing to conduct the secret investigation,” Gammons said.

“So the investigative team got together and we discussed the pros and cons. We decided it made sense to remove it. At this point, NetWalker was incredibly widespread and popular ransomware. People were spending millions of dollars and we thought enforcement action would make sense.

They coordinated with law enforcement in Canada and Bulgaria to not only shut down Vachon-Desjardins, but also take over the group’s servers on January 27, 2021.

The Royal Canadian Mounted Police arrested Vachon-Desjardins at his home in Quebec City and found approximately half a million dollars in Canadian and US currency in addition to approximately 719 Bitcoins.

Vachon-Desjardins now faces charges of conspiracy to commit wire fraud, conspiracy to commit computer fraud and several other charges based on his conduct with victims located in the Tampa, Florida, area. according to Gammons.

When asked by The Record if any other members of NetWalker have been identified, charged, or arrested, Gammons emphatically replied, “The only public charge at this time is Sebastian Vachon-Desjardins.”