The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Netwalker Ransomware Affiliate Sentenced to 20 Years in Jail

Posted By on Oct 6, 2022

An affiliate of the infamous Netwalker ransomware gang has been sentenced to serve 20 years in jail for his role in ransomware attacks on entities in the United States.

Netwalker is a ransomware-as-a-service (RaaS) operation where affiliates are recruited to conduct attacks and deploy ransomware in exchange for a cut of the ransom payments they generate, typically receiving up to 75% of any ransoms paid. After gaining access to a victim’s network, sensitive data would be identified and exfiltrated and used as leverage to pressure victims into paying. Threats were then issued to publish or sell the data if the ransom is not paid. Ransom demands ranged from hundreds of thousands to millions of dollars.

While some RaaS operations ban their affiliates from conducting attacks on healthcare organizations, that was not the case with Netwalker, which actively targeted healthcare organizations around the world. The gang also stepped up attacks on the sector during the COVID-19 pandemic.  Victims included the Champaign-Urbana Public Health District and the University of California San Francisco, which had files encrypted on the servers used by its School of Medicine. A ransom of $1.14 million was paid by UCSF for the decryptor to recover essential files.

Sebastien Vachon-Desjardins, 34, from Quebec, a former IT consultant who worked for the Public Works and Government Services in Canada, was arrested in Canada in January 2021 on suspicious of conducting ransomware attacks as part of a law enforcement crackdown on the Netwalker ransomware gang. Law enforcement searched his home and found 719 Bitcoin with a value of more than $28 million, CAD $640.040 in cash, and seized CAD $420,941 from his bank account.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Vachon-Desjardins pleaded guilty to breaching companies and conducting attacks and also admitted to training other individuals on how to conduct attacks. During the 9 months from May 2020 to January 2021, Vachon-Desjardins is alleged to have earned more than 2,000 Bitcoin for the gang and is estimated to have earned more than CAD $30 million in just 9 months. Vachon-Desjardins was charged for the attacks conducted in Canada, was sentenced to serve 6 years and 8 months in jail, and was ordered to pay restitution to 8 victims of his attacks, ranging from $2,500 to $999,239. While awaiting sentencing, Vachon-Desjardins was also sentenced to serve 4.5 years in jail for a separate drug trafficking case.

A law enforcement investigation into the ransomware attacks conducted by Vachon-Desjardins on U.S. firms was also underway and earlier this year, Vachon-Desjardins was extradited to the United States to face charges in Florida, including conducting a ransomware attack on a Tampa-based firm. Vachon-Desjardins entered into a plea deal and pled guilty to conspiracy to commit computer fraud, conspiracy to commit wire fraud, causing intentional damage to a protected computer, and transmitting a demand in relation to damaging a protected computer.

Federal sentencing guidelines were in the range of 12-15 years; however, U.S. District Court Judge, William F. Jung, opted for a much harsher sentence to serve as a deterrent to other would-be ransomware affiliates. Vachon-Desjardins was sentenced to serve 60 months in jail for conspiracy to commit computer fraud and transmitting a demand in relation to damaging a protected computer, 120 months for causing intentional damage to a protected computer, and 240 months for conspiracy to commit wire fraud, with the sentences to run concurrently. Vachon-Desjardins also agreed to forfeit $21.5 million and will have to serve 3 years of supervised release.

During his prison term, Vachon-Desjardins will not be permitted to use a computer capable of connecting to the Internet, including a smartphone, gaming device, or other electronic devices. U.S. District Court Judge, William F. Jung, said that were it not for the plea deal, and if the case had gone to trial, he would have sentenced Vachon-Desjardins to life in prison.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist