A United States court recently sentenced a Canadian citizen to 20 years in prison for his participation in the NetWalker ransomware attacks. The case displays the coordination of law enforcement units across borders in response to the threat of attacks that similarly transcend borders.

Background

Following a request from the U.S. Federal Bureau of Investigation for assistance identifying a Canadian suspect in their investigation into NetWalker, the RCMP arrested Sebastien Vachon-Desjardins, a former Government of Canada employee, in January 2021. After his arrest, the RCMP searched his home and seized 719 bitcoin (worth approximately $35 million at the time of the seizure) and $790,000 cash. He was charged in Canada with mischief in relation to computer data, unauthorized use of a computer, extortion and participating in a criminal organization. In January 2022, he pleaded guilty to three of the four charges, and was sentenced by an Ontario court to seven years in prison. In addition, he was ordered to forfeit the bitcoin, most of his seized computing devices and all of the cash seized by the RCMP, as well as to pay more than $2.6 million in restitution to the businesses affected by the attacks.

Following his Canadian sentencing, Vachon-Desjardins was extradited to the United States, where he was charged with conspiracy to commit computer fraud, conspiracy to commit wire fraud, intentional damage to a protected computer and transmitting a demand in relation to damaging a protected computer. Vachon-Desjardins pleaded guilty to all four charges. On October 4, 2022, a U.S. District Judge in Florida sentenced  him to 20 years in prison, and ordered him to forfeit US$21.5 million. Restitution will be ordered by the U.S. court at a later date.

Ransomware attacks

As discussed in a  previous post, ransomware is a form of malicious software designed to block access to data or a computer system. Ransomware often encrypts data or programs on information technology systems in an effort to extort ransom payments from victims in exchange for decrypting the information and restoring system access. These types of attacks have increased in frequency, severity and sophistication in recent years — further accelerated by the COVID-19 pandemic and the world's heightened reliance on the use of online systems for the purposes of conducting business.

The NetWalker ransomware attacks in which Vachon-Desjardins participated involved hacking the computer systems of hospitals, school districts, municipalities, companies and other victims, encrypting their data, and demanding ransom payments in exchange for its return. If their demands were not met, the data was posted on NetWalker's blog on the dark web. NetWalker operated primarily during the COVID-19 pandemic, specifically targeting the healthcare sector. Over 30 countries were targeted and $40 million in ransom payments was collected.

Risks associated with ransomware attacks

With the increased prevalence of ransomware attacks in recent years, companies face a number of associated risks, including those related to

  • Data protection: Companies have certain obligations with regards to privacy and confidentiality of customer and counterparty data. Without proper protections in place to safeguard data against ransomware attacks, companies risk exposure to civil liability, as well as both business and reputational risks, should the data become subject to an attack.
  • Business risks: Companies subject to ransomware attacks may face significant business disruptions that may affect their ability to operate efficiently, as well as relationships with customers and counterparties.
  • Money laundering: While the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) has stated that the act of sending ransomware funds, usually in the form of virtual currency, is not contrary to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, there are still risks for reporting entities. For instance, where the destination of the transaction raises suspicion that the transaction is related to money laundering or the financing of terrorist activity, the sender is obligated to submit a suspicious transaction report to FINTRAC. (See our  earlier discussion of Canada's approach to ransomware payments.)

The U.S. Financial Crimes Enforcement Network specifically highlights [PDF] governmental entities and financial, educational and healthcare institutions as increasingly popular targets for these types of ransomware attacks.

Cross-border enforcement

The convictions highlight the borderless nature of both ransomware attacks and white-collar crime generally. By its nature, modern white-collar crime, including ransomware attacks, is a global issue and may have a substantial connection to the laws of multiple jurisdictions. From a compliance perspective, this requires companies to turn their minds to obligations and regulator requirements imposed by law of all jurisdictions potentially applicable to them. From an enforcement perspective, authorities increasingly work with a cross-border approach, including information sharing and cooperative enforcement. Among other things, pursuant to the Treaty Between the Government of Canada and the Government of the United States of America on Mutual Legal Assistance in Criminal Matters  (MLAT) process between Canada and the United States, the U.S. Department of Justice can request assistance from the RCMP through the International Assistance Group (IAG) of the Canadian Department of Justice to gather evidence in Canada and vice versa. The borderless nature of ransomware and other forms of economic and financial crime make it critical for companies to look at compliance issues from a global perspective.

Takeaways

Businesses and agencies need to ensure that they have effective controls in place to ensure adequate data protection over all confidential and private information. If a company becomes the victim of a ransomware attack or is asked to facilitate any transaction that it has reason to believe may be connected to a ransomware payment, it should seek the advice of counsel.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.