A Canadian man who played part in ransomware attacks on hospitals, government agencies, and businesses was sentenced to 20 years in prison and ordered to forfeit the $21.5 million U.S. investigators said he received from his hundreds of victims.
Sebastien Vachon-Desjardins, of Quebec, was involved with an international cybercrime group that since 2019 deployed NetWalker ransomware to lock up crucial computer systems of hospitals and other health entities, manufacturers, businesses, universities, and government agencies across the United States, Europe, and Asia Pacific until ransoms were paid, according to the Department of Justice (DOJ).
Vachon-Desjardins was indicted in December 2020 in U.S. District Court for the Middle District of Florida for his role in a ransomware attack and extortion of an unnamed company in Tampa, Fla., in May 2020. He pleaded guilty to one count each of conspiracy to commit computer fraud, conspiracy to commit wire fraud, intentional damage to a protected computer, and transmitting a demand in relation to damaging a protected computer.
Vachon-Desjardins formerly worked as an IT specialist for the Canadian government.
A raid on his home during his January 2021 arrest netted 719 bitcoin, which were valued then at about $21.8 million. He had extorted at least that amount from his victims, the DOJ said.
“The defendant identified and attacked high-value ransomware victims and profited from the chaos caused by encrypting and stealing the victims’ data,” said Assistant Attorney General Kenneth Polite Jr. of the DOJ’s Criminal Division in a press release Tuesday.
NetWalker became widely recognized as a security threat in March 2020 after it invaded an Australian transportation and logistics company and U.S. public health organization, the Federal Bureau of Investigation (FBI) said in a July 2020 cybersecurity warning. The ransomware often gains access to computers by exploiting virtual private network appliances that haven’t been updated or weak passwords, the FBI said.
By September 2020, the ransomware had affected health entities in Maryland, Illinois, Pennsylvania, and California and taken at least $30 million from its victims. The University of California San Francisco paid a ransom of more than $1 million, according to cybersecurity report from the Department of Health and Human Services (HHS).
The attacks shut down healthcare facilities during the height of the Covid-19 pandemic and resulted in the personal data of patients being compromised and sold, HHS said. The ransomware understands Russian, and it doesn’t allow computers in Russia to become infected, according to HHS.
The DOJ said upon announcing the arrest of Vachon-Desjardins it was launching a coordinated, international effort to bring down NetWalker.