The darknet leaks websites associated with the operations conducted by the NetWalker ransomware group have been taken down by the law enforcement agencies from Bulgaria and the USA. The agencies were successful in the global dismantlement of hundreds of servers and one million Emotet infections. They have also charged a suspect.
NetWalker (Emotet) is a RaaS or Ransomware-as-a-Service operation that started operating in late 2019. The affiliates were enlisted for the distribution of the ransomware and infecting the victims in return for a specific share of ransom payments accounting to 60-75%. This ransomware had proved to be much profitable for the cybercriminals. An August report had estimated that the threat actors had generated $25 million in meagre five months.
“It is a so-called ‘modular malware family’ that can install all kinds of additional malware on systems, steals passwords from browsers and email clients, and is very difficult to remove,” according to an announcement from Dutch police issued on Wednesday. “One of the things that makes Emotet so dangerous is that Emotet opens the door to other types of malware, as it were. Large criminal groups were given access to some of those systems for payment to install their own malware. Concrete examples of this are the financial malware Trickbot and the ransomware Ryuk.”
The law enforcement officials have seized the data leak sites or dark web hidden resources of the NetWalker ransomware and its Tor payment, via their international consortium “Operation LadyBird”. They have also put up a seizure banner that displays the logo of Bulgarian law enforcement and FBI. The seizure notice mentions that the shutdown had been conducted by the FBI, Bulgarian National Investigation Service, the US DOJ and Bulgaria’s General Directorate Combating Organized Crime.
Details on how Operation LadyBird specifically worked are scant, but Europol noted: “Law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside. The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure. This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime.”
“This hidden site has been seized by the Federal Bureau of Investigation, as part of a coordinated law enforcement action taken against the NetWalker Ransomware.”
“The action has been taken in coordination with the United States Attorney’s Office for the Middle District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice, with substantial assistance from the Bulgarian National Investigation Service and General Directorate Combating Organized Crime,” the website seizure notice reads.
“Some servers were used to keep a grip on already infected victims and to resell data, others to create new victims, and some servers were used to keep police and security companies at bay,” according to the Dutch police.”
An announcement from Europol added, “The infrastructure that was used by Emotet involved several hundreds of servers located across the world, all of these having different functionalities in order to manage the computers of the infected victims, to spread to new ones, to serve other criminal groups, and to ultimately make the network more resilient against takedown attempts.”
At the moment, the FBI has not released any information regarding the takedown. Thus, it is yet muddy if the agencies had been successful in retrieving the decryption keys as a part of the operation or if the arrests have been conducted.
NetWalker is one of the most active ransomware and access to the decryption keys could permit many victims to recover their frozen files for free. Also, the decryption keys’ recovery would also indicate a massive achievement for law enforcement since the ransomware operations have remarkably been resistant to disruption.
Additionally, the Dutch authorities have also discovered a database containing around 600,000 stolen email addresses bearing passwords and lurking on one of their servers.
The NetWalker ransomware had targeted some high-profile victims such as – the Argentinian immigration agency, Enel Group, Equinix, K-Electric and the University of California San Francisco (UCSF).
“The result here is gratifying, but the havoc Emotet wreaked across numberless networks in seven years is alarming,” Hitesh Sheth, president and CEO at Vectra, told a news outlet. “We’ve got to aspire to more international cooperation for cybersecurity plus better response time. None of us know how many malware cousins of Emotet are doing more damage right now, but if each takes seven years to neutralize, we will remain in perpetual crisis.”
Meanwhile, law enforcement has also announced the federal charges against a suspect of NetWalker. The federals had also seized nearly half a million dollar in cryptocurrencies that the threat actors had extorted through ransom using the dark web hidden resources. The feds have also mentioned that the Canadian suspect Sébastien Vachon-Desjardins had actually banked around $27.6 million over NetWalker activities’ tenure.
Disclaimer: Read the complete disclaimer here.