U.S. Takes Part in Multinational Efforts to Disrupt Netwalker Ransomware and Emotet Malware | Alston & Bird

On January 27 and 28, 2021, the U.S. Department of Justice (DOJ) announced two successful operations to disrupt two different strains of malware, Netwalker ransomware and a banking Trojan known as Emotet, which have affected victims around the globe and caused millions of dollars in damage in recent years.

The law enforcement actions against Netwalker and Emotet are the latest examples of successful cooperation between international governments in fighting cybercrime that transcends borders, as the U.S. partnered with Canada, France, Germany, the Netherlands, the United Kingdom, Lithuania, Sweden, and Ukraine to disrupt the Emotet botnet, and Bulgarian authorities assisted with the operation against Netwalker  The DOJ announcement regarding Emotet notes that, “Now, more than ever, international collaboration is an imperative… This investigation will be a paradigm of effective international law enforcement cooperation directed at global cybercrime.” Below we highlight key aspects of each operation.


On January 27, 2021, the DOJ announced charges against a Canadian individual in relation to Netwalker ransomware attacks allegedly involving the extortion of tens of millions of dollars. The DOJ also announced that the law enforcement operation involved the seizure of approximately $500,000 in cryptocurrency from ransom payments and the dismantling of a dark web resource allegedly used to communicate with ransomware victims. Bulgarian authorities were able to seize the dark web hidden resource, and web visitors will now find a banner notifying them that the site has been seized by law enforcement.

Netwalker is one of the most common strains of ransomware and has affected victims in a variety of industries. The DOJ notes that attacks have specifically targeted the healthcare sector during the COVID-19 pandemic. Netwalker is frequently cited as an example of ransomware-as-a-service. According to the DOJ announcement, Netwalker “developers” create and update the malware, while “affiliates” conduct the actual ransomware attacks. If a victim pays a ransom, the payment is split between the two groups.


On January 28, 2021, the DOJ announced it had taken…