Cyber True Crime: The Affiliate Part 4

Welcome back to Part 4 of the cyber true crime series: The Affiliate. In past blogs, we covered how a ransomware gang typically operates, how an organization finds out they have been the target of a NetWalker ransomware attack, how one becomes a NetWalker affiliate and everything you need to know about international servers. In this installment, we’ll cover the organizations that the Affiliate targeted over the span of a few weeks.

To read Part 1, click here.

To read Part 2, click here.

To read Part 3, click here.

Should You Pay the Ransom?

It’s both incredible and intimidating to think that the Affiliate committed 5 brutal attacks on organizations across the United States and beyond over the span of a few weeks. It’s also one of the reasons why organizations should always, no matter the circumstances, refuse to pay the ransom ransomware gangs demand.

Imagine, this is just what one person was able to accomplish in a very short period of time. What if NetWalker has 10 affiliates? Or 100? 1,000? The amount of damage one ransomware gang is able to orchestrate quickly adds up, which is why you don’t want to responsible for their pay-day.

Even if you cooperate, we shouldn’t assume that a criminal organization will be true to their word, nothing is holding them responsible for restoring your encrypted files. There is also a high probably that they have made a copy of the data that they can use in future attacks against the organization, or they can post that information on the dark web, regardless of payment. The best thing you can do is follow through with your incidence response plan.

The Organizations Targeted by the Affiliate

This is exactly what the first organization Sebastien Vachon Desjardins targeted did. The FBI report that around May 1, 2020, a telecommunications company headquartered in Florida became aware that their network had been compromised by NetWalker Ransomware. NetWalker demanded a ransom of $300,000 USD in Bitcoin, which the targeted organization refused to pay. A FBI unsealed document reveals that the targeted organization claims to have spent approximately $1.2 million USD in restorations. The organization was targeted through their Pulse Secure Virtual Private Network (VPN). Through their forensic analysis, it was revealed that an international server, which would later be identified as Poland Server #1, had been used to gain this access.

A little over a week later, around May 8, 2020, the second organization was attacked by the Affiliate. The educational institution became aware that it had been the target of a NetWalker ransomware attack in the same way the telecommunications company had through a ransom note on one or more of their workstations. However, the second targeted organization did not find out the ransom demanded as they didn’t visit the NetWalker Tor Panel. Through forensic analysis, the FBI concluded that the same international server had been used to gain unauthorized access to the company’s Secure Pulse VPN.

By this point, the FBI were monitoring Poland Server #1 and anticipated another attack. Just a few days later, on May 13, 2020, they observed a new build on the server for a transport logistics company headquartered in France. Unfortunately, they didn’t contact French officials in time, and the attack was executed. The third targeted organization received the ransom note notifying them that their data had been encrypted on May 15, 2020, for an initial ransom of $50,000 USD in Bitcoin, which was later increased to a staggering $2 million USD in Bitcoin, which the organization did not pay.

Around this time, FBI investigators covering the attack observed a post on the NetWalker Blog which stated that the data stolen from the transport logistics company would be published online on May 30, 2020, with an accompanying screenshot to prove that they weren’t bluffing. True to their word, on May 30 the organization’s data was leaked on the NetWalker Blog. It wasn’t until this point that the FBI began to monitor and build the case more in depth, so it’s possible that the other two attacks could have had their data leaked as well, though it isn’t mentioned in the FBI report.

Up until now, none of the 3 organizations targeted by the Affiliate had paid the ransom, meaning that, if these were the only organizations that had been targeted, the Affiliate hadn’t actually made any money from the ransomware attacks. That changed with the fourth organization targeted, an education institution headquartered California. The organization was targeted around June 3, 2020, and ultimately ended up paying $1.4 million USD in Bitcoin.

Unfortunately, just 5 days later, their data was leaked on the NetWalker Blog. Unlike with the previous targeted organizations, it was revealed that a second international server (Poland Server #2) was responsible for this attack.

Although it occurred before the fourth attack, the FBI classify the attack against this targeted organization last as it was discovered after the first 4. While the other 4 attacks were discovered through the international servers, the fifth one was discovered through a ransomware payment in one of the Affiliate’s multiple email addresses. We’ll fully explain how the FBI began tracking the email addresses and were able to link them back to the Affiliate in Part 5; but for now, we’ll just cover how one email allowed the FBI to identify a fifth victim.

The fifth targeted organization, an education company headquartered in Washington, is believed to have been attacked in May of 2020. They ultimately ended up paying close to 10.5 Bitcoin (about $94,877 USD). Through investigating an email account which belongs to the Affiliate, FBI investigators found that he received about $72,374 USD for this ransomware attack – a pretty hefty cut for an affiliate. FBI investigators also discovered a build relating to this attack on Poland Server #1, along with 5 screenshots the Affiliate had created associated with the stolen data from the organization.

Stay tuned for Part 5 of the Affiliate series where we’ll start to crack down on how the FBI investigators started to track down Vachon Desjardins through the international servers and email addresses.

The More You Know

Understanding what motivates criminals, who they are and how they work is a vital part of building a more resilient organization. It helps make cybersecurity more real for everyday people and helps individuals and organizations develop plans to better protect themselves from cyber threats. Please consider sharing this series to help more people understand 21st-century crime and how to protect themselves.