Cyber True Crime: The Affiliate

A Canadian man has been charged by the FBI of being one of the world’s top cybercriminals, making tens of millions of dollars as an agent of a shadowy international criminal organization known as NetWalker. This is his story.

In this 8-part series, we’ll explore this true crime story - which continues to unfold even as the global ransomware epidemic rages in countries around the world. We’ll cover the targets of NetWalker, which range from healthcare and education, to telecommunications and transportation logistics. This series will take us from the city of Gatineau, Quebec, to servers in Poland and Bulgaria and involves the investigative expertise of the FBI and RCMP. In this first instalment, we’ll go over how ransomware works, the ransomware-as-a-service model and where NetWalker fits into all of this.

Cybercrimes start and end with people. They start with the motivations of people who seek to enrich themselves regardless of the harm, pain and suffering they cause. They prey on their target’s fears and depend on you acting without fully considering the situation. Most of the time, they use known manipulation tactics to coerce individuals to give up sensitive information such as login credentials, personal information and other confidential data in order to hack into an organization’s network and steal information.

Known system vulnerabilities are also exploited to gain access and move undetected through an organization’s network, stealing and compromising data as they go. In recent years, ransomware gangs have become increasingly popular, as ransomware has become one of the top cyber threats. Cybercriminals use ransomware to encrypt files which can only be decrypted using a decryption provided by the ransomware gang for a ransom.

Ransomware has been a huge money maker.

It takes a community to commit a cybercrime.

When it comes to ransomware, it usually isn’t a single individual acting on their own, but an organized group of folks acting as either developers or affiliates. Developers create the ransomware code and tools needed to encrypt the data, while affiliates implement and follow through with the attack. This way of conducting a ransomware attack is known as ransomware-as-a-service (RaaS) as the developers are providing the affiliates with the service for a fee.

RaaS can operate with developers selling the code and tools needed to conduct the attack to affiliates outside their criminal organization, or they can provide it to affiliates within their gang for a price and cut of the ransom when it’s paid. The RaaS model is popular as it benefits both developers and affiliates: the developers are guaranteed an income whether or not the target organization pays the ransom as the affiliates pay them in advance, and the affiliates don’t need to be exceptionally tech-savvy since they only need to know how to implement the ransomware – not create and sustain it.

NetWalker has been advertise as a RaaS since March of 2020, according to documents produced by the FBI. Like other RaaS models, it is made up of developers who create the ransomware and affiliates who implement it to the organizations and companies targeted. As mentioned in an unsealed FBI document, within NetWalker, the affiliates are also responsible for searching and researching “high-value” target organizations to launch attacks on using ransomware code packages created by the developers.

Organizations are targeted either because of the valuable, confidential data they possess, which could disrupt the functionality of the organization, or because of ties the information may hold to other organizations, individuals or other private affiliations.

A multi-pronged attack

Like most ransomware gangs, NetWalker not only encrypts their target’s data, but also steals it and publishes it online. According to the investigation conducted by the FBI, the stolen data includes confidential business data, individual personal identifying information, medical records and educational records. It’s generally believed that only if the target does not pay the ransom their data will be published online; however, this is not always the case, and like most criminal organizations, NetWalker does not always play by the rules they’ve created.

In May of 2020, the FBI came across the NetWalker Blog which helps the ransomware gang publish stolen data from targeted organizations. Once on the dark web, the NetWalker Blog is easily accessible to any and all cybercriminals as it’s not encrypted. FBI surveillance recorded in an unsealed FBI document, reveals that, in their entries, the NetWalker Blog names the targeted organization, a summary of their services and a link to where or when the organization’s data will be published. The Blog also posts screenshots of the confidential information to prove that they’re serious, a scare tactic other ransomware gangs also partake in.

Stay tuned for Part 2 where we’ll tell the story of Sebastien Vachon Desjardins and begin to unravel how he scammed organizations out of millions of dollars through his affiliation with NetWalker.

The more you know

Understanding what motivates criminals, who they are and how they work is a vital part of building a more resilient organization. It helps make cybersecurity more real for everyday people and helps individuals and organizations develop plans to better protect themselves from cyber threats. Please consider sharing this series to help more people understand 21st-century crime and how to protect themselves.