Canadian man sentenced to 20 years in U.S. prison for NetWalker ransomware attacks

A U.S. court has sentenced a Canadian man to 20 years in prison for his role in a number of cyberattacks involving the ransomware NetWalker.

The U.S. Department of Justice announced the sentence on Tuesday for Sebastian Vachon-Desjardins, 35, of Gatineau, Que., over his participation in the NetWalker ransomware attacks, which targeted dozens of victims around the world including companies, municipalities, hospitals, law enforcement, emergency services, school districts, colleges and universities, the department says.

In particular, the U.S. Department of Justice points to the use of NetWalker to specifically target the health-care sector during the COVID-19 pandemic.

U.S. District Judge William F. Jung in Tampa, Fla., sentenced Vachon-Desjardins on four charges, which he previously pleaded guilty to, including conspiracy to commit computer fraud, conspiracy to commit wire fraud, intentional damage to a protected computer and transmitting a demand in relation to damaging a protected computer.

As part of the ruling, Vachon-Desjardins must also forfeit US$21.5 million.

"The defendant identified and attacked high-value ransomware victims and profited from the chaos caused by encrypting and stealing the victims' data," assistant attorney general Kenneth A. Polite Jr. of the U.S. Justice Department's Criminal Division said in a news release issued Tuesday.

"Today's sentence demonstrates that ransomware actors will face significant consequences for their crimes and exemplifies the Department's steadfast commitment to pursuing actors who participate in ransomware schemes."

The Canadian Centre for Cyber Security describes ransomware as the most common and rising cyberthreat facing Canadians.

A ransomware attack involves the use of malicious software to encrypt, steal or delete data, followed by a demand for a ransom payment.

The Royal Canadian Mounted Police (RCMP) announced in March that Canada's justice minister had ordered the extradition of Vachon-Desjardins to the U.S. following his indictment by a federal grand jury in Florida.

Prior to that, the RCMP said it had been investigating the NetWalker attacks since August 2020 after receiving information and a request from the U.S. Federal Bureau of Investigation to help identify the suspect.

Police searched Vachon-Desjardins' home in January 2021, which resulted in the seizure of $790,000 in Canadian currency and 719 bitcoin, worth approximately C$35 million.

At the time, the RCMP said it was believed to be the largest seizure of cryptocurrency, by value, in the country to date.

Vachon-Desjardins has already faced criminal charges in Canada, similar to the ones in the U.S., including unauthorized use of a computer, mischief in relation to computer data, extortion and participating in a criminal organization.

The RCMP said he ultimately pleaded guilty to the latter three and in January 2022, a Brampton, Ont., court sentenced Vachon-Desjardins to seven years in prison, as well as the forfeiture of 680 bitcoin, most of his seized computing devices and $742,840. The judgment also included a restitution order of more than $2.6 million to businesses affected by the ransomware attacks.

Reuters reported in March that a LinkedIn profile for a Sebastien Vachon, which appeared to match the accused's description, showed he previously worked as an IT consultant for Public Works and Government Services Canada.

With files from Reuters