Skip links

Extradited Canadian accused of unleashing NetWalker ransomware

US prosecutors on Thursday said they have extradited a Canadian man to America to face charges that he conspired to distribute ransomware.

Sébastien Vachon-Desjardins, 34, of Gatineau, Quebec, was detained by Canadian authorities on January 27, 2021. Upon executing a warrant to search his residence, officials found and seized more than 20TB of data including digital wallets containing 719 Bitcoin – worth about $28.5m presently – and C$790,000 (~$619,000) in cash, some of which was stored in bank safety deposit boxes.

The previous month, Vachon-Desjardins was indicted in Tampa, Florida, on charges of computer and wire fraud, intentionally damaging a protected computer, and transmitting a demand in relation to damaging a protected computer.

In January this year, he pleaded guilty before a Canadian judge to: mischief in relation to computer data; extortion; and participating in a criminal organization. He was sentenced to seven years in jail.

Now this week, Vachon-Desjardins has been shipped to the US from Canada under the extradition treaty between the pair of nations to face those charges in Florida.

The Justice Department identifies Vachon-Desjardins as “a former Canadian government employee” without specifying which government agency. This employment status appears to date back at least to seven years: a June 16, 2015 article in Gatineau, Quebec-based publication Le Droit recounts then 27-year-old Sébastien Vachon-Desjardins’s three-and-a-half year sentence for illegal drug possession and says he was formerly employed by the National Research Center of Canada.

An investigation led by the Royal Canadian Mounted Police identified 17 Canadian companies targeted by Vachon-Desjardin. The US indictment [PDF] against Vachon-Desjardins alleges he was involved in deploying the NetWalker ransomware against an unidentified company in Tampa.

“Ransomware is a multi-billion-dollar criminal enterprise that transcends physical and political boundaries,” said Roger B. Handberg, US Attorney for the Middle District of Florida, in a statement on Thursday. “International collaboration is essential to identify the perpetrators of these sophisticated schemes.”

The arrest of Vachon-Desjardins exemplifies the benefit of cross-border cooperation. That same month, authorities in Bulgaria seized the IT infrastructure used by NetWalker ransomware affiliates to provide victims with payment instructions and collect payments.

NetWalker, according to security firm Chainalysis, is ransomware as a service. An administrator or developer typically runs the infrastructure and relies on affiliates to obtain access to victim networks and deploy the malware necessary to capture and encrypt data for ransom. Payments are then shared between admins, affiliates, and other commissioned roles.

Chainalysis last year said it had identified at least 345 blockchain addresses associated with Vachon-Desjardins, and said government partners alleged he was involved in at least 91 NetWalker attacks since April 2020, for which he received 80 per cent of the ransom.

The firm said it also suspects he was involved in the deployment of other ransomware-as-a-service strains, including Sodinokibi, Suncrypt, and Ragnarlocker.

The US stepped up its effort to deal with ransomware following the compromise of Kaseya’s IT management software last year. The Biden administration last year tried pressuring Russian President Vladimir Putin to do something about ransomware operations in his country. The geopolitical situation has changed a bit since then.

Vachon-Desjardins’s attorney Mark O’Brien told The Register in an email that his client pleaded not guilty today and a trial is scheduled for May. If convicted in America, Vachon-Desjardins would serve any US prison term first and time left unserved from his Canadian sentence would be served in Canada. ®