Thu | Jan 28, 2021 | 4:09 PM PST

In newly unsealed court documents, the U.S. Department of Justice says it is has indicted one of the players involved in the infamous NetWalker ransomware.

Authorities have seized almost half a million dollars in cryptocurrency, disabled a Dark Web resource used to communicate with NetWalker ransomware victims, and arrested Sebastien Vachon-Desjardins, a Canadian national.

How much did he make from his part in NetWalker? According to the DOJ, he raked in more than $27 million by attacking organizations around the world.

NetWalker ransomware disabled 

NetWalker has been a very troublesome and effective ransomware for the last few years. Operators have targeted a wide variety of organizations in that time, including hospitals, law enforcement, emergency services, school districts, colleges, and universities.

During the COVID-19 pandemic, they have gone even lower. The DOJ says the ransomware group specifically targeted the healthcare sector to take advantage of the global crisis.

Acting Assistant Attorney General Nicholas McQuaid of the Justice Department's Criminal Division had this to say about NetWalker's shutdown and the disablement of other ransomware operations:

"We are striking back against the growing threat of ransomware by not only bringing criminal charges against the responsible actors, but also disrupting criminal online infrastructure and, wherever possible, recovering ransom payments extorted from victims.

Ransomware victims should know that coming forward to law enforcement as soon as possible after an attack can lead to significant results like those achieved in today's multi-faceted operation."

What was the NetWalker ransomware business model like?

The DOJ says that NetWalker operated under a ransomware-as-a-service model that featured "developers" and "affiliates."

Developers would be responsible for creating and updating ransomware, making it available to affiliates. Affiliates would identify and attack high-value targets with the ransomware. Once the ransom payment was received, the developer and affiliate would split the payment.

The DOJ is now sharing more details about how NetWalker operated:

"...once a victim's computer network is compromised and data is encrypted, actors that deploy NetWalker deliver a file, or ransom note, to the victim. Using Tor, a computer network designed to facilitate anonymous communication over the internet, the victim is then provided with the amount of ransom demanded and instructions for payment.

Actors that deploy NetWalker commonly gain unauthorized access to a victim's computer network days or weeks prior to the delivery of the ransom note.

During this time, they surreptitiously elevate their privileges within the network while spreading the ransomware from workstation to workstation. They then send the ransom note only once they are satisfied that they have sufficiently infiltrated the victim's network to extort payment."

Who is the Canadian charged in the NetWalker case?

Sebastien Vachon-Desjardins, the Canadian national charged in this case, is alleged to have made at least $27.6 million during the time of his involvement with the NetWalker operation. Authorities say they also seized $454,530.19 in cryptocurrency which came from three separate attacks and ransom payments to NetWalker.

One can only speculate how many ransomware attacks were needed to accumulate the $27.6 million Vachon-Desjardins made.

The DOJ says it intends to return what it can to those who lost money in this group's destructive attacks.