International Law Enforcement Takedown of NetWalker and Emotet

Alvaro Marañon
Thursday, January 28, 2021, 2:59 PM

Published by The Lawfare Institute
in Cooperation With

Law enforcement’s battle against cybercrime is off to a fast start in 2021, with two major developments occurring earlier this week. Both are a result of separate collaborative efforts between U.S. law enforcement agencies and various European authorities.

First, on Jan. 27, 2021, the Department of Justice announced the launch of an organized international law enforcement action to disrupt the notorious NetWalker ransomware. U.S. and Bulgarian authorities were able to seize the dark web site, which was used by ransomware affiliates to communicate with and provide payment instructions to ransomware victims, and recoup large amounts of cryptocurrency from ransomware payments.

Netwalker ransomware has ravaged various industries in the past but specifically targeted the healthcare sector during the COVID-19 pandemic. The court documents illustrated how the NetWalker ransomware had created a business model, consisting of “developers”, who created and updated the ransomware for affiliates, and “affiliates’, who identified and attacked high-value victims. Both the developers and affiliates would split the subsequent payments.

The unsealed indictment also revealed charges against a Canadian international, Sebastien Vachon-Desjardins, who is alleged to have obtained at least $27.6 million from these attacks.

The press release is here and the indictment can be found below.

Also, on Jan. 27, 2021, the Federal Bureau of Investigation announced, along with France’s Police Nationale, the United Kingdom’s National Crime Agency and others, the coordinated action against the infamous Emotet malware and botnet. Law enforcement and judicial authorities were able to take control of the Emotet infrastructure, enabling them to redirect the infected machines to this law enforcement operated infrastructure. This marked a major milestone in the disruption of cyber-criminal operations.

Emotet was originally a banking Trojan but has long evolved into becoming one of the most dangerous and powerful malware and botnets in circulation. Emotet’s popularity amongst cybercriminals stems from its “loader” or “download” function for subsequent malware. Once Emotet successfully infected a machine, it would “offer” the infected device to other cybercriminals for a price, where the buyer could then install other forms of malware on the existing machine. Trickbot and other malware have relied upon Emotet, so this disruption will likely have wide-ranging ramifications for other botnet groups.

Authorities are still seeking the individuals responsible for this operation but in the meantime, have planned to release an update to remove the malware on all infected Emotet devices on April 25, 2021.

Alvaro Marañon is a former fellow in Cybersecurity Law at Lawfare. Alvaro is a graduate from the American University Washington College of Law and the University of New Hampshire.

Subscribe to Lawfare