NetWalker Ransomware: A Major Blow as Authorities Seize and Shutter Infamous Crimeware Server

Naked Security Crimeware Server Used by NetWalker Ransomware Seized and Shut Down

August 14, 2023 | By Paul Ducklin

Introduction

The US Department of Justice (DOJ) announced the successful seizure and shutdown of a web domain called LolekHosted.net, which was allegedly connected to a range of crimeware-as-a-service activities. The site had been operating since 2014 and is said to have generated over $20 million, which the DOJ is seeking to recover. The DOJ also charged Artur Karol Grabowski, a 36-year-old Polish man, in connection with running the service. However, Grabowski’s current whereabouts are unknown, and he remains a fugitive.

Bulletproof Hosting and the Alleged Criminal Activities

Sites like LolekHosted.net are commonly referred to as bulletproof hosts. These hosts claim to not only resist takedown efforts but also protect their clients’ identities, even in the event of asset seizure. The DOJ alleges that Grabowski facilitated the criminal activities of LolekHosted clients by allowing them to register accounts using false information, not keeping IP address logs of client servers, frequently changing IP addresses, ignoring abuse complaints, and notifying clients of legal inquiries from law enforcement.

The cybercrime activities allegedly enabled by LolekHosted included ransomware attacks, brute force attacks, and phishing. Ransomware criminals typically use anonymous dark web hosts for contact purposes during negotiations for blackmail payoffs. These dark web servers are usually hosted on the Tor network with domains ending in .onion. However, they often require innocently-styled URLs on the regular internet, known as the “bright web,” for setting up attack infrastructure and exfiltrating stolen data.

The DOJ states that Grabowski’s customers included affiliates of the notorious NetWalker ransomware gang. The LolekHosted servers were implicated in approximately 50 NetWalker ransomware attacks worldwide, including in the Middle District of Florida, where Grabowski is being charged. The servers were used as intermediaries for unauthorized network access and as storage for hacking tools and stolen data.

Recovering Funds and Potential Penalties

If captured and convicted, the DOJ aims to recover $21,500,000 in forfeited funds from Grabowski, equivalent to the proceeds of his criminal activities. The DOJ does not specify what happens if Grabowski is unable or unwilling to pay. Additionally, if convicted on all charges, Grabowski could face a maximum penalty of 45 years in prison, though it is worth noting that maximum sentences are rarely imposed.

Analysis and Implications

The seizure and shutdown of the LolekHosted.net domain are significant milestones in the fight against cybercrime. Bulletproof hosts have long been a challenge for law enforcement agencies due to their claims of enabling illegal activities while evading identification. Despite operating for nearly a decade, this action shows that even the most elusive cybercriminals can eventually be pursued and apprehended.

The case also highlights the ongoing threats posed by ransomware attacks, brute force attacks, and phishing schemes. These cybercrimes continue to evolve, with criminals constantly finding new ways to exploit vulnerabilities and deceive victims. While the seizure of LolekHosted.net disrupts some criminal operations, it is essential to recognize that other similar hosting services may still be facilitating illegal activities. Vigilance and collaboration between law enforcement, security experts, and technology companies are crucial in combating these threats.

Editorial: Strengthening Internet Security Efforts

The seizure of LolekHosted.net should serve as a reminder that internet security must remain a top priority for individuals, organizations, and governments. The interconnected nature of our modern world enables both progress and threats, with cybercriminals constantly seeking to exploit vulnerabilities for their illicit gain.

Improving Cybersecurity Infrastructure

Efforts to combat cybercrime must include improvements to cybersecurity infrastructure. This includes investing in more robust security measures, adopting best practices, and staying updated on the latest threats. Organizations must prioritize cybersecurity training and awareness among their employees to prevent successful attacks and quickly detect and respond to potential threats.

Global Collaboration and Information Sharing

International collaboration among governments, law enforcement agencies, and technology companies is crucial in responding to cybercrime effectively. Information sharing and joint operations enable faster detection and prosecution of cybercriminals. Governments must work together to establish clear legal frameworks to address cross-border cybercrime, ensuring that no jurisdiction can serve as a safe haven for cybercriminals.

Educating and Empowering Individuals

Individuals must also take an active role in protecting themselves online. Education about good cybersecurity practices, such as using strong and unique passwords, being cautious of suspicious emails, and regularly updating software and systems, is essential. Internet users should also consider using reputable security tools and services to add an extra layer of protection.

Conclusion

The seizure and shutdown of the LolekHosted.net domain represent a significant victory in the ongoing battle against cybercrime. However, this case also serves as a reminder that the fight is far from over. Continued collaboration, both between public and private entities and among individuals, is necessary to stay one step ahead of cybercriminals. By strengthening internet security efforts, we can create a safer digital landscape for all.