Skip to main content

Ransomware is now big business, comprising many groups – each akin to a small enterprise, involving many workers with different skill sets.KIRILL KUDRYAVTSEV/AFP/Getty Images

Sebastien Vachon-Desjardins was a successful ransomware hacker. In just over a year, the Canadian made millions by invading corporate computer networks and holding records hostage, releasing the data only when the firms, schools or government agencies he had targeted paid him.

From May 2020, until his arrest in January 2021, the 34-year-old Gatineau, Que., resident hit scores of organizations around the world. Almost 20 were in Canada, including College La Cité, an Ottawa school he once attended and from which he extorted US$227,000.

When police raided his home last year, they found $300,000 in Canadian currency before seizing cryptocurrency wallets holding millions. Confronted with that evidence, Mr. Vachon-Desjardins confessed to being a high-level hacker. But he also said there were some computer systems he and his accomplices would never breach.

“The ransomware creators had imposed one significant restriction on the software’s use,” reads a Crown statement filed in the Ontario Court of Justice in Brampton, Ont., that summarizes Mr. Vachon-Desjardins’ admissions. “No attacks against Russia and its former Soviet republics.”

In a sentencing ruling released last month, Justice Paul Renwick called Mr. Vachon-Desjardins a “sophisticated cyberterrorist” but made no specific mention of Russia. Mr. Vachon-Desjardins has since been extradited to the United States to face similar charges.

The criminal case recently resolved in Ontario has yielded valuable insights into the inner workings of “ransomware as a service” operations arising out of Russia and its client states and how the Canadian was a key player in one such enterprise.

The Globe and Mail has since obtained the exhibit evidence filed in the case. It lays out just how Mr. Vachon-Desjardins was in league with several Russian ransomware developers before he became one of the first people charged in Canada with ransomware-related offences. (Prosecutors say he may well be the first.)

Usually, such criminals are out of reach for North American law-enforcement agencies. “Some countries that house ransomware operators, like Russia, do not extradite their citizens,” reads a prosecutorial synopsis. It says that while China and Iran also play a role in ransomware attacks, actors based in Russia and its environs are often among the most sophisticated.

Ransomware is now big business, comprising many groups – each akin to a small enterprise, involving many workers with different skill sets. Software developers create the malware that can scramble irreplaceable corporate records and unscramble them only when a ransom is paid. Lower-level employees work at the equivalent of an IT help desk, where they are on call to conduct online chats, walking victims through the arcane steps of rendering payment in cryptocurrency.

But it is the arm’s-length “affiliates” – the independent hackers who operate like contractors – who are the stars. They drive revenue growth by choosing which corporate networks are most vulnerable. And they reap as much as 80 per cent of the profits of any successful attack.

This was Mr. Vachon-Desjardins’ arrangement, according to his admissions, money trails and the chat logs that unspooled his relationship with NetWalker, a now-defunct ransomware group whose leaders were Russian-speaking.

“In his statement he believed he profited approximately 650 [bitcoin] from his share of the ransoms paid,” court documents say. That much cryptocurrency would be worth about $35-million today.

Such profit incentives have led ransomware attacks to double in tempo and in costs to businesses between 2020 and 2021, according to a recent report from the Canadian Centre for Cybersecurity. “Canada is among the top countries impacted by ransomware,” the federal agency said.

Now, in the wake of Russia’s invasion of Ukraine, it may get worse, given how the West’s stiff sanctions on Moscow are prompting dread about a wave of retaliatory cyberattacks.

On Monday, U.S. President Joe Biden met with chief executives as his administration’s officials held a news conference urging businesses to lock down their data. Washington has “evolving intelligence that the Russian government is exploring options for potential cyberattacks,” Mr. Biden said.

Moscow employs sophisticated spies and government hackers. But experts say these professionals are often in cahoots with cybercriminals. “Organized crime groups operating out of Russia do so under a couple of conditions. One is you don’t hack Russian-language sites. They are out of bounds,” said Bob Gordon, a former Canadian intelligence official.

“The other part of the rule is if you get asked for assistance or a favour from one of the [Russian] state security agencies, then you are going to say yes,” said Mr. Gordon, now an executive at the Canadian Cyber Threat Exchange, a forum where Canadian businesses share cybersecurity tips.

Experts say some ransomware never attacks Russia or its client states by design. A computer program’s coding can scan a victim’s network and shut itself down if it concludes its attack is landing anywhere within the Russia-led Commonwealth of Independent States (CIS). “You effectively see minimal or no CIS targeting in the known victim lists of any major ransomware operator,” said Jeremy Kennelly of cybersecurity company Mandiant.

When it comes to hiring hackers, he said, many of today’s largest ransomware groups “tend to prefer their affiliates to be Russian-speaking.”

But Mr. Vachon-Desjardins was an exception to that rule. The Canadian court file reveals that when police raided his home they found tax returns indicating he was making $60,000 a year at his day job. He was a federal civil servant doing IT work inside the procurement department.

He first joined forces with NetWalker in May 2020, deploying its software inside corporate networks. Some attacks earned him ransoms; other times, victims refused to pay.

Police encouraged Canadian organizations to file impact statements in court so they could recover money from the funds seized from Mr. Vachon-Desjardins.

“People felt terrorized and violated,” said Erna Hansen, a general manager at Windward Software in Penticton, B.C. She wrote that her company’s leaders suffered sleepless nights on the Labour Day weekend in 2020, when they called each other after midnight, seized with the sudden knowledge that their systems had been breached.

Windward did not pay a ransom but still incurred $100,000 in damages. Ms. Hansen told the judge that Mr. Vachon-Desjardins “needs to know that there are really wonderful people” being targeted by his crimes. “People with young families and normal daily struggles.”

Our Morning Update and Evening Update newsletters are written by Globe editors, giving you a concise summary of the day’s most important headlines. Sign up today.