Canadian accused of ransomware attack on Tampa company

TAMPA — A former Canadian government employee was extradited to Florida on March 9 after taking part in a sophisticated ransomware attack that extorted a company in Tampa, according to the Department of Justice.

Sebastien Vachon-Desjardins, 34, of Gatineau, Quebec, is facing multiple charges stemming from his alleged participation in NetWalker, a ransomware that has been used to extort money from companies across the globe. Vachon-Desjardins used NetWalker in 2020 to damage a “protected computer” at an unnamed Tampa company, and then send a ransom note, according to an indictment returned in the Middle District of Florida.

Ransomware is malicious software, also known as malware, that stops a person from accessing their computer files, systems or networks, according to the Federal Bureau of Investigation. A person or company has to pay a ransom to regain access.

In some types of ransomware attacks, such as with NetWalker, the culprit spreads the ransomware to other computers connected to the network, and a demand for payment is only sent once the network is compromised and the data is encrypted, authorities said.

Vachon-Desjardins would have to forfeit at least $27 million — the amount officials believe he illegally obtained — if he is found guilty, according to the indictment. The United States would take the money and return it to the identified victims as restitution, according to William Daniels, a spokesperson for the Middle District of Florida.

The Justice Department did not name the Tampa-based company in the indictment.

“Ransomware is a multi-billion-dollar criminal enterprise that transcends physical and political boundaries,” said U.S. Attorney Roger B. Handberg of the Middle District of Florida in a written statement. “International collaboration is essential to identify the perpetrators of these sophisticated schemes.”

A grand jury empaneled from the Middle District of Florida indicted Vachon-Desjardins on four charges in December 2020: Conspiracy to commit computer fraud, conspiracy to commit wire fraud, intentional damage to a protected computer and transmitting a demand in relation to damaging a protected computer.

At the request of U.S. authorities, Canadian police arrested Vachon-Desjardins on Jan. 27, 2021. Police executed a search warrant and seized 719 bitcoins, currently valued at more than $28 million, from Vachon-Desjardins’ home in Gatineau, the news release said.

More than a year later, on March 9, Vachon-Desjardins was extradited from Canada to Florida. The following day, a federal judge in Tampa ordered that he be detained until his trial, court records show.

“The department will not cease to pursue and seize cryptocurrency ransoms, thereby thwarting the attempts of ransomware actors to evade law enforcement through the use of virtual currency,” said Assistant Attorney General Kenneth A. Polite Jr. of the Justice Department’s Criminal Division in a written statement.

Vachon-Desjardins was brought to Florida based on the extradition treaty between the U.S. and Canada, the release said.

The FBI’s Tampa Field Office is investigating the case.

Vachon-Desjardins was referred to as a former Canadian government employee by the FBI. The Department of Justice deferred questions about Vachon-Desjardins’ employment to the Royal Canadian Mounted Police. The Royal Canadian Mounted Police did not respond to a request for comment by press time.

The Department of Justice announced an international effort from law enforcement to disrupt NetWalker on Jan. 27, 2021. A few weeks earlier, law enforcement seized more than $450,000 in cryptocurrency — made up of ransom payments from people targeted in three separate NetWalker ransomware attacks, the release said.

NetWalker attacks have been launched against companies, hospitals, municipalities and schools across the world, the release said, and the healthcare sector specifically has been targeted during the pandemic.

NetWalker runs as a “ransomware-as-a-service” model, the Department of Justice said in a 2021 press release. Developers create and update ransomware and make it available to “affiliates.” Affiliates then identify and attack targets with the malware.

When a victim’s computer network is compromised, an affiliate will then send a ransom note to the victim using Tor, an anonymous messaging network, with instructions on how to pay. After a victim pays, developers and affiliates split the ransom, according to a Jan. 27, 2021, news release from the Justice Department.

“This investigation is yet another example of the outstanding work conducted by the Tampa FBI Cyber program, the Middle District of Florida, the FBI’s Cyber Division, and our law enforcement partners around the world,” said Sanjay Virmani, acting special agent in charge of the FBI’s Tampa Field Office.