Tracking a hacker who extorted millions through ransomware attacks - The Fifth Estate

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
on this edition of The Fifth Estate it says hi your files are encrypted we recommend that you move away from the computer even God will not be able to help you it was scary and it took me into a whole world that I didn't know about a criminal gang of hackers ruthlessly starting companies and institutions around the world this is the biggest ransomware investigation that I've worked on in my career he asked me if I would be interested in participating in ransomware so I said yes I'm marimodini imagine you run a big company a university or even a hospital you turn on your computer and all your critical files are gone encrypted and there's a ransom note demanding payment to get them back sometimes millions of dollars it's called ransomware and it's on the rise and ultimately we're all paying for it tonight we'll take you inside the biggest police takedown of a Canadian ransomware hacker and we'll show you how they caught him this is The Fifth Estate Canadians come to Florida for this but last month the Canadian we came to see was here at the federal court in an orange jumpsuit the final chapter of an incredible story Emergency Operations Center working on covid someone came in from the I.T department and told me that we had just been attacked by ransomware and that our files had been frozen um that was just like getting punched in the gut my name is Julie pride and I'm the public health administrator for Champaign Urbana Public Health District in Illinois she came in and she says I need you right now she's I have no idea what's going on and I need to get this fixed my name is Pat Robinson and I'm the HR Director here for Champaign Urbana Public Health we have divisions of maternal and child health HIV STD hepatitis Family Planning foreign was there a breach or potential breach of client information did they have our financial information you know what were our accounts going to be drained so I was just I was just sort of spinning there's so many people here in the community that depends on us all of our files were encrypted all of our systems were down 95 percent of our data and everybody was freaking out thank you so is it Friday night we got a notice from one of our users that were trying to access a file they got and file extension could not be opened I'm Arthur geech I'm I.T project manager for Amicon Management Services which is a property management company that also does Construction I was working late that night immediately I go okay this is clearly ransomware and then your heart starts to pulse The Ransom note said if we didn't pay within uh seven days that they were going to publish all of our data that we were expected to pay 10 000 US Dollars um through Bitcoin panic [Music] treatment is [Music] [Music] it was scary area and it took me into a whole world that I didn't know about it was called was it called netwalker net Walker a criminal gang of hackers hiding behind screens around the world holding computer systems hostage until victims pay up Services I just almost got sick because I was already under so much pressure and stress from the covid and it was it was terrifying we had I.T call the FBI netwalker was discovered on being utilized against a victim in the Tampa Bay area and shortly after that we started seeing ransomware all across the country my name is Michael McPherson I work for 25 years in the FBI netwalker is a you know Eastern European criminal based organization that has built a tool their their netwalker ransomware that they are basically franchising out to these Affiliates around the world net Walker is made up made up of purse who create the malicious soft they will steal some information on what we call a double extortion so they're not only going to try to get a the victim to pay a ransom they're also threatening the victim that they're going to expose information that they've retrieved and if the ransom was paid the two would split generally between 70 to 80 percent would stay with the affiliate and the other portion will go back to the developer victims received almost identical Ransom notes let me get my glasses on it says hi your files are encrypted we recommend that you move away from the computer and accept that you have been compromised the only way to get your files back is to cooperate with us and get the decrypter program rebooting shutdown will cause you to lose files without the possibility of recovery and even God will not be able to help you come chat with us and you could be surprised how fast we both can find an agreement without getting this incident public Survivor that's what we received that morning and we're like oh this is a joke this has got to be a joke and um then we started just pulling everything up and was like oh no it's not a joke they're asking the payment in Bitcoin the Bitcoin can be moved across wallets relatively rapidly so make it harder and harder to trace when we found out that we were under attack and that we would have to pay a ransom in Bitcoin I had no idea what what it was how it worked where you got it anything about that I had absolutely no idea it's just like what Justice the pirate message impossible [Music] [Music] it's here on the netwalker blog that the stolen information is published if the ransom isn't paid the FBI notices that an affiliate known only as user 128 is very active who is he and where is he it was multiple investigative steps to pull together to figure out who it was the FBI's break in the case came in Spring 2020 when the hacker attacked a telecommunications company in Tampa user 128 leaves behind a clue an IP address linked to a server in Poland we had a location first and then from a location we were able to determine the name then 128 strikes again two more victims in California but the hacker leaves more clues behind on a second server in Poland evidence that user 128 lives in a quiet middle class neighborhood in this house in Gatineau Quebec the investigation led us back to Canada where we engaged with the Royal Canadian mountain police my name is Francois picably I'm Constable with the RCMP and the division of cyber crime so in August 2020 we received information from the FBI about a Canadian that was involved with the netwalker group The Suspect was a Sebastian Vashon de Jane [Music] 33 year old Sebastian de jardi Sebastian was probably the largest affiliate in the netwalker Network he was able to get rich very quick through his hiking activities when we come back who is hikers you know the image that you have it's a teenager in his parents basement but no it was truly the opposite [Music] August 2020 the owner of this house in Gatineau is on the FBI's radar but they need the rcmp's help to confirm that user 128 is in fact Sebastian who already launched ransomware attacks around the world Constable Francois picarble is one of the lead investigators on the case we started to help the FBI with their requests of identifying mysterious Sebastian investment we had already a lot of information from the FBI that we were able to start with and then were able to do our own uh security background check the Constable soon discovers Vashon de Jade is a convicted drug trafficker we find a man who knows that story quite well my name is Denise small and I'm a legit not the taxi for the Gatineau Police Service foreign it was driving like a little car like Toyota Corolla and his house a small house you don't go to restaurant often you only go to gym work and look like a very simple quiet citizen it doesn't make sense I was working in at the drug section and we had information about a lot of bags and bugs um from a house speed marijuana Ashish so but it was a a lot of drugs so it was a stash he had about half a million of drugs on the street the famous brand of cakes that bear his name [Music] speaking of cake the icing on the cake for denismar is learning what vashoni Jardin does for a living when he's not dealing drugs we saw him at his job there in Ottawa I was working for the federal government [Music] to his job is a nighty worker for the national research Council of Canada in Ottawa during the day he was working there and he came back at his home and after dinner a lot of trafficking as his house we get like three years and a half of federal sentence after serving a part of that sentence is released in 2016. he somehow manages to return to the public sector his new employer public service is in procurement Canada wouldn't tell us whether it performed a background check on him three years pass to 2019 in November it was trafficking a lot of drugs again so it was a priority for us [Music] again and this time he's transporting drugs throughout the province we saw him coming back and they parked the car at his house and at this moment the other guy took a big brown barrel with the metal ring so it was a big transaction simar arrests him again how was he reacting he talked about his parents you know we deceived them and for a guy who cares for his parents I don't understand why you start again he told me there my problem it's I always want more money he was having kind of addiction addiction to money he always want more and more and more by 2020 the covid-19 pandemic breaks out fashion design is working from home awaiting his next court date for the drug file any sees an opportunity net Walker Group is hiring here's an example of an ad they posted in the Cyrillic alphabet that appeared on a hacker forum they do have rules when they are recruiting Affiliates they do not want English speakers they want russian-speaking Affiliates primarily that's because Russia is a safe haven for ransomware operators according to experts and it's become big business from 2020 to 2021 ransomware as a service in the first half of the Year increased by 151 percent and that's a huge number and the problem with cybercrime is it doesn't just grow a little bit it doesn't grow it doesn't follow regular Trends it is it grows exponentially I'm Lena dabbit I am the officer in charge of the federal policing cyber crime investigative team based out of Toronto the cost of either paying the ransom or remediating and or you know remediating the compromise system their costs have more than doubled and so you you look at a cost that you know a year ago was you know in the nine hundred and seventy thousand dollar Canadian to sort of Rectify this issue is now on average a ransomware attack will cost a company 2.3 million dollars to repair or to remediate and the cost isn't just to the company take what happened when Colonial pipeline in the us was hacked in 2021. the colonial pipeline attack was one of the most significant if not the most significant ransomware attack of all time not because of what happened but because of the response my name is Joe tidy I'm cyber reporter at the BBC so I cover cyber security hacking cryptocurrency online privacy and a bit of gaming as well it was a ransomware attack by the dark side cyber crime gang again a Russian we think Russian cyber crime group the company shut the pipeline down for six days and it led to panic buying the pumps which then created a fuel shortage the sheer panic in the US was incredible two months later the United States called out Russia for its failure to act the president made clear he underscored the need for President Putin to take action to disrupt these ransomware groups ransomware attacks are nothing new we've seen ransomware attacks way back in in the early days of the internet but what we noticed about three years ago was that ransomware became a a big criminal Enterprise in his criminal Enterprise vashonda Jordan is a rising star in June 2020 he launches one of his biggest attacks one of my really close cyber contacts sent me a dark web link to their negotiation portal and I managed to watch the negotiation taking place between the university and the hackers the target is the University of California in San Francisco a medical research institution this was at the time of the pandemic when I like many people were extremely scared and frightened and were all in locked in our homes and this was a university really trying to find a vaccine and a cure to try and save lives and there were these hackers just ruthlessly extorting the University Joe tidy follows the attack from London the hacker asks for 3 million American dollars the university offers 780 000. keep that 780 000 to buy McDonald's for all your employees it's a very small amount for us I'm sorry I hope you know that this is not a joke for me I haven't slept in a couple of days because I'm trying to figure this out for you I understand you but your University have a lot of money and I'm 100 sure they can get more than seven hundred eighty thousand dollars that's a lot of money for anyone but the hackers laughed at it they said something about all of the work I've put in this does not reward me and I'm thinking to myself you haven't worked you've broken into a university you are criminals the university would pay over 1 million U.S in Ransom if you remember that the psyche of the nation at the time of what we were going through trying to understand kobit and hospital being filled in shortages of nurses and and the the mental exhaustion of people and then to lay on to take advantage of that by hitting them with the ransomware is pretty uh pretty ruthless in my mind it's serious and painful for the victims but for the hacker it seems to be a game the FBI investigators find bizarre but revealing Clues leading to vaishna jarde an email address skankhunter gmail.com scan Contour a cyber bullying a South Park episode [Music] and then a second one hotmail.com but soon the party will be over for Vegeta for the rest of 2020 he continues his attacks while law enforcement on both sides of the Border are closing in not only that we had our investigation starting there was also criminal charges for drugs that were pending against him from the Gatson police and at the same time you have the FBI that's looking out for him to bring him into the American soil on the extradition warrant we had decided that we had enough evidence to pursue an indictment against Mr Vashon Desjardins I'm Carlton gammons I'm a federal prosecutor in Tampa Florida my link to Sebastian Vision Des chardins is I was the lead prosecutor in his criminal investigation gammons has to shut down netwalker and stop Vashon nijade at the same time it was important to arrest Mr Vashon Desjardins once we search his home because at that point he would know that we were warned to him we believe that he had made approximately 21.5 million dollars based on ransomware attacks and I presume that he did not want to go to prison so we were worried that with his background and a large amount of money that was yet unaccounted for that he would flee the country and that we wouldn't be able to apprehend it this belief is partly based on messages exchanged between him and one of his alleged co-conspirators about a recent attack I hit them hard bro he says followed by soon I will come in Russian we discovered he was planning on making trips we knew that he had traveled before and I think the most prominent feature of a flight risk for us was that the amount of time he would have been facing if he was convicted in a U.S court when we come back the takedown I could feel that he was very proud of his work he asked me if I would be interested in participating in ransomware so I said yes [Music] in March 2020 in Illinois net Walker hackers have brought the Champaign-Urbana Public Health District to a standstill Pat Robinson and Julie Pride must decide whether or not to pay the ransom by the third day we were still negotiating with the threat actor and we gotta got to a point where they originally wanted 450 000 and we got it down to 370 000 which is a huge amount anyway once we paid the The Ransom the question was did we just hand somebody money and and we're not going to get our stuff back it was it was it was unnerving you may or may not have a happy ending with this story so and then they send us a decryption key to get all the information back we kind of created an ongoing problem if you pay someone like that you know it's just like blackmail if you pay them they're going to go after someone else fast forward to January 2021 in the town of molmania the city manager Felix Michelle is considering his options foreign exchanges ever umatic it's the beginning of the end Professional Day and it all starts thousands of kilometers away in Bulgaria in the middle of the night the investigation had identified essentially the server that made the netwalker ransomware work that is where all the Affiliates and developers sort of stored their information we knew that once we took that server down the netwalker ransomware where it essentially ceased to operate on January 27 2021 there was a coordinated law enforcement effort involving U.S authorities Bulgarian authorities and Canadian authorities we didn't want to take the server down without having Mr Vashon deschard ends in custody they managed to get hold of the the back end service they took down the blog of naming shaming victim blog and they put up a thing saying this has now been seized by the US authorities it was a lot of people working in tandem on that date to try to make that happen simultaneously it was exciting the FBI has no authority to affect arrests in another country so we're not going to be the ones kicking it or putting the handcuffs on that that is the local police's job to do [Music] in Gatineau at dawn is woken up by the sound of police at his door he's met with a barrage of officers but among them there's one familiar face never in my career I was thinking or I will be involved in the FBI case and a big file like this Sima arrests him for the third time and this time on behalf of the U.S government so when I came in the house I saw Sebastian so but it was look like someone who's lost a little bit expression was like someone was asking for help he need me like a friend he need me like the body with m in that case but because you were you were the good cop for him yeah for now yeah he was very afraid there I can say that for him it was a hard day and it's like the sky was falling on his head once he was arrested they did a a search in the house we obviously removed uh computers um data evidence that came out of the house in addition to information about bank accounts and and Bitcoin amounts and there was a significant amount of money involved as well too we found a numerous laptops there were lots of computers cell phones we found a considerable amount of cash in Canadian currency that was stored in this bedroom so at that moment we were able to see that we had a long investigation ahead in front of us that we were dealing with the right person and that it was a a very important affiliate you know in the networker group even hid some of his cash in a box under his slippers [Music] we found about three hundred thousand dollars you know in his residence and that was all hidden in his closet in his bedroom we also found in his night table safety deposit box keys and then from those keys we were able to locate local safety deposit box he hid another four hundred thousand dollars in safety deposit boxes at two local banks but that was small change compared to what he had gained in cryptocurrency we're able also to recover 719 Bitcoin which is a multi-million dollar amount the amount of Bitcoin we seized uh it was worth at that time of the IRS over 30 million dollars Canadian police would find a gold mine of information in several computers we had 20 terabytes of data which it's the equivalent of you know filling up an arena full of paperwork once we had his actual devices we were able to get a far more clear picture of what he was doing we were able to see sort of uh with more clarity the number of victims that he was victimizing attract at least 18 Canadian companies so then that was the next part of the investigation was the Outreach of the victims in Vancouver Arthur Keach at Amicon gets a phone call from the RCMP we had a few meetings at the RCMP they basically let us know we we have some information we think we have a relationship with Amicon with this particular individual that they found could we have access to your attack history logs and we had kept good logs and we were able to provide them IP addresses and time stamps and we were able to tie all of that together working together with the RCMP to to help put together a charge foreign but not all of his victims would be as helpful as Amicon so the victims weren't cooperating a lot with an investigation and in some cases they didn't incorporate at all it was very hard to get the story to get the information from them because they were trying to protect their reputation the Canadian anti-fraud Center estimates that approximately five percent of incidents are actually reported and that's that's a horrible start there is a stigma attached to it the criminal element they're capitalizing on that they're capitalizing on the fact that you really don't want your data out there you don't want people to you know your reputation to have that impact and so it stays in the shadows and it flourishes in the shadows and that's what's happening [Music] would shed light on the net Walker operation it's rare that hackers are caught and ultimately police wanted to get restitution for his victims they would move one step closer to that goal while he waited to be extradited to the U.S the huge turning point in our investigation was when the Monsieur professional digital name decided to talk and cooperate with our investigation so I was responsible to conduct the inter interrogation and then we were able to confirm the amount of victims with him and also to put a number on how many people were attacked by his uh ransomware activities foreign [Music] lasted two days he told them how he chose his victims you asked me if I would be interested in participating in ransomware so I said yes then um for targeting the Canadian victims we had like more than 15 to 20 000 networks of uh we can access which was all the credentials username and passwords and um we were going from there uh one by one and then we were starting to think is this network worth it or we go to the next one did you have like a basis for what you like an expectation of why you would choose a company yeah so our expectation was if the revenue was around a minimum 30 million a year for their company which were targeting for let's say a revenue that would be around 30 million we would ask one person an issue and after negotiating with the victim we could go under like 25 or 50 percent of the initial rental during the interrogation I had the impression that he was very proud of his work considering how successful it was uh and the networker group as an affiliate this past January vegetarian pleaded guilty to extortion among other crimes he got a seven year sentence in Canada five months later he pleaded guilty in the U.S the netwalker ransomware was very active there were about 400 victims loaded located across the world in 30 different countries two-thirds of the victims were located in the United States over 100 victims were attributable to Mr Vision dish Gardens every day was a new victim every day almost I would say almost every day was a new victim yes we were able to trace back that the day of his arrest the day we executed the search warrant that were a ransom that was paid from a victim foreign he compared Sebastian to Jesse James the I guess centuries-old bank robber of the Wild West [Music] it was a Tampa Florida attack that first puts Sebastian desjarde on the FBI's radar now things are coming full circle for the government I.T worker turned ransomware hacker in just a few moments he will learn his fate in this Florida Court behind me now he faces decades Behind Bars on this morning's only Ally is his lawyer Mark O'Brien going into a sentencing is always very nerve-wracking it's Sebastian and obviously was very nervous that was the proxy to to his family and friends that care deeply about him and I take that responsibility serious he enters the courtroom escorted by guards Sebastian was sitting right next to me in the courtroom that prosecutor was to my left about 10 feet this is the biggest ransomware investigation that I've worked on in my career the netwalker ransomware was very active and it was only active for about a year and a half but victims have paid about 5058 Bitcoin and ransoms at the time of those transactions that's about 40 million dollars and that's only taking in account the ransoms paid a lot of companies don't pay ransoms at all and those companies still have to reconstitute their Network so even the victims who don't pay end up you know being on the hook financially and that's what we saw in this case federal court judge William Jung enters the court and Begins the hearing hoping for leniency Mark O'Brien tells him about his first contact with his Canadian client I did wrong I want to accept responsibility for doing that committing that that crime doing that wrong and I want to make sure that I don't fight extradition I want to come to the United States I want to tell the judge that that I committed this crime and that I'm sorry and that was his goal from the very beginning which is unusual it's the only card version has left to play there are no mitigating circumstances he grew up living a very normal life had two loving parents he was gainfully employed he went to school there was really nothing that I know about him that kind of LED you to believe that he would commit crimes of this nature [Music] his guilty plea the two lawyers agreed on a sentence they proposed to the judge in that plea agreement we assured Mr Vashon deshardins that we would ask for a sentence between 13 to 14 years which is the bottom of the federal sentencing guidelines but the judge is clearly outraged the judge referred to Mr Vashon Desjardins as a digital Jesse James and I think the analogy was that while bank robberies were done you know perhaps 200 years ago on a horse with a shotgun now they're often done with a computer with some sort of computing device I think the comparison is quite apt this isn't you know a burglary or just a robbery this is extortion the consequences are all too real for net Walker's victims 370 000. I remember doing that and not knowing what I was doing which I was also scary paying the ransom I I regretted because um it just perpetuates the situation stopping them in their tracks and not paying that is the brave thing to do in the perfect world we would probably have said you know what we're not paying this We're Not Gonna you know but but we did so yeah this is a not a victimless crime at all it is not a victimless crime as soon as that money went out it's like um that's a lot of money that we could help individuals in this community although many of vaishna jaldi's victims will get some kind of restitution Julie pride and Pat Robinson are out of luck it turns out they were attacked by his accomplices of course still out there vashonda is the only one who was caught have you identified other co-conspirators we're still investigating that we know that there were approximately 100 people according to the FBI records inside netwalker who were involved in this that's one of a hundred so one percent I think it's very um clear to me that these people are still out there and they've still got the skill sets and they know what to do to make a lot of money coordination between U.S and Canadian authorities made him easier to catch than his co-conspirators so he was bad luck to be Canadian it was good luck for us cooperated fully with police he wouldn't divulge anything about his co-conspirators you're not only putting yourself at Jeopardy while you're in custody but you're also putting your family and your friends at risk it's a dangerous World Sebastian has opted which is his right to accept his punishment and move forward in life [Music] in Vancouver Arthur Keach did not negotiate with I have a very strong position that you should never communicate or to sort of consider any Ransom with these these individuals the damage at Amicon was contained we were fortunate in that we took the great precautions offline backups that allowed us to come up and have full functionality within 72 hours six of the 18 companies are they hacked in Canada paid him 1.6 million dollars in Ransom every company on Earth should be protecting themselves to the degree that they can recover from any ransomware attack ransomware is a system that can kill companies so you look at if a company pays a ransom for ransomware costs go up the costs of doing business the costs of goods shareholder prices like it impacts people in so many ways everyone pays for ransomware the attack on mobile caused the town over two hundred thousand dollars but it's not all bad news moment is one of a handful of victims who will be partially reimbursed and when the FBI arrested Vashon dejade it gave Felix Mishu the decryption keys hello didn't draw the right number either at the federal courthouse in Florida he hears the judge say 240 months the judge ended up veering upward and giving him the statutory Max on the highest count for 20 years part of a criminal organization that attacked 400 victims in 30 countries I think Mr Vashon de chardon's motivation purely was greed I thank Mr Vashon Desjardins when to make as much money as fast as he could and he had made millions and could have stopped but he didn't in fact in his confession told police that a few weeks before he was arrested he was helping his co-conspirators to fund a bigger and better version of netwalker ransomware
Info
Channel: The Fifth Estate
Views: 692,984
Rating: undefined out of 5
Keywords: ransomware, hacker, hacking, cybercrime, cyber attack, cyber security, cyber threat, ransomware attack, NetWalker, Canada, Russia, Gatineau, Quebec, Sebastien Vachon-Desjardins, FBI, FBI investigation, RCMP, CBC Fifth, CBC Fifth Estate, The Fifth Estate, CBC, CBC News
Id: 8dXI22AgB0I
Channel Id: undefined
Length: 43min 12sec (2592 seconds)
Published: Fri Nov 11 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.