By all accounts, he was part of several so-called Ransomware-as-a-Service (RaaS) gangs, such as REvil and NetWalker, where the actual ransomware attackers act as “affiliates” for the core ransomware creators, in return for handing over an AppStore-like or Google Play-like 30% cut of every blackmail payment they extort.
Simply put, the core gang members create the malware samples, run the darkweb servers that handle the “negotiations” with victims, and collect the extortion payments…
…while the affiliates handle breaking into victims’ networks, mapping them out, and lining up the final attack in which as many computers on the network as possible have their data scrambled at the same time.
The “business theory”, if we can call it that, is that by taking 30% of every successful attack, the core criminals become extremely wealthy indeed, but keep a low profile away from the network-cracking limelight.
At the same time, by handing 70% to their “affiliates”, they encourage those co-conspirators to make each attack as debilitating as possible, potentially increasing the amount that victims can ultimately be squeezed into paying to get their business running again.
LEARN MORE ABOUT RECENT MALWARE BUSTS (FIRST SECTION)
Vachon-Desjardins had been a federal government worker in the Canadian Capital Region (he comes from Gatineau in Quebec, directly across the river from the federal capital Ottawa in Ontario).
He seems to have decided that joining the cybercrime underworld would be much more lucrative than his government job, and it seems that did indeed rack up a small fortune in illegal earnings…
…until he was identified, arrested and prosecuted in Canada.
After being sentenced to nearly seven years in a Canadian prison, he was then extradited to Tampa, Florida in the US, to face four federal charges there:
- Conspiracy to Commit Computer Fraud
- Conspiracy to Commit Wire Fraud
- Intentional Damage to a Protected Computer
- Transmitting a Demand in Relation to Damaging a Protected Computer
The choice of Tampa for his trial was because a known victim of one of his “NetWalker” ransomware attacks is based there.
Vachon-Desjardins has now pleaded guilty to all four charges, with the plea agreement (thanks to The Register for uploading a copy of the court document) explaining:
The NetWalker Ransomware was a specific type of malicious software (malware) that was used to compromise and restrict access to a victim’s computer network in an effort to extort a ransom. Conspirators used NetWalker not only to encrypt victim data, but also used the malware to steal sensitive data from victims. If a victim did not pay the ransom, conspirators would refuse to decrypt victim data and would publish the sensitive, stolen data online. The stolen data was often published on a dark web website named “the NetWalker Blog,” which existed for the primary purpose of facilitating the publication of stolen victim data.
NetWalker operated as ransomware-as-a-service (“RaaS”), featuring Russia-based developers and affiliates who resided all over the world. Under the RaaS model, developers were responsible for creating and updating the ransomware, and making it available to affiliates. Affiliates were responsible for identifying and attacking high-value victims with the ransomware. After a victim paid, developers and affiliates split the ransom. Sebastien Vachon-Desjardins was one of the most prolific NetWalker Ransomware affiliates.
SophosLabs has analysed the NetWalker ransomware in detail, thanks to a stash of files recovered by our threat response team during an ransomware incident investigation in 2020:
The plea deal also notes that:
On or about January 27 and 28, 2021, the Royal Canadian Mounted Police executed search warrants at Vachon-Desjardins’ home and on safe deposit boxes held by Vachon-Desjardins at National Bank, Gatineau, Quebec.
During these searches, law enforcement seized, among other assets , all bitcoin contained in the defendant’s BTC Wallet 3Pxki6pFFKC12YSn8JtDs3ZrEg3pFTHnHd.
This seized bitcoin was derived primarily from ransom funds paid by victims of NetWalker Ransomware attacks.
The amount seized was just under BTC 720, worth about US$23 million in early 2021, and still worth about US$14 million today.
That wasn’t all, however, with the court document stating:
Law enforcement identified and seized copies of the server that operated as the backend, or internal-facing, server of the NetWalker Tor Panel and the NetWalker Blog. This server contained detailed transactional information as to the NetWalker developers and affiliates. The transactional records revealed that during the course of the conspiracy, approximately 100 affiliates had been active, and victims had paid approximately 5058 bitcoin in ransoms (an approximate total of US$40 million based on the value of bitcoin at the time of each transaction).
These records also tied Vachon-Desjardins to the successful extortion of approximately 1864 bitcoin in ransoms (an approximate total of US$21.5 million based on the value of bitcoin at the time of each transaction) from dozens of victim companies across the world, including [the victim in Tampa, Florida].
As Chester Wisniewski put it in the March 2022 podcast:
Sebastien is temporarily “on loan” to the Americans, so they can punish him, but when he comes back, he still has to face his sentence here in Canada.
The wire fraud offence alone carries a maximum sentence of 20 years, but we’re assuming that the court will impose a lighter sentence on account of the plea deal being signed.
The plea agreement makes it clear that “[the] defendant is pleading guilty because [he] is in fact guilty.”
And part of the deal includes that the “defendant agrees to cooperate fully with the United States in the investigation and prosecution of other persons, […including] a full and complete disclosure of all relevant information, including production of any and all books, papers, documents, and other objects in defendant’s possession or control.”
In other words, Vachon-Desjardins is now expected to spill the beans, and rat out his former chums in the ransomware scene.