TAMPA — A federal judge sentenced a Canadian man to 20 years in prison Tuesday for his role in a ransomware scheme that netted him $21 million and caused an estimated $40 million in losses worldwide.
Sebastien Vachon-Desjardins, 34, who was extradited earlier this year from Quebec, was also ordered to serve three years of supervised release after he leaves prison, with conditions that he submit to searches and provide financial information to a probation officer. He was also prohibited from owning a personal computer or holding information technology jobs.
U.S. District Judge William Jung went above the 12-to-15-year prison term that federal guidelines suggested. He spoke of aiming to deter cybercriminals from committing such crimes.
“You have one of the worst cases I’ve ever seen,” the judge told the defendant. “This is Jesse James meets the 21st century.”
Ransomware is a type of malicious software that locks up a computer’s data and renders it unusable. A typical attack involves a cybercriminal gaining access to a computer network and uploading the ransomware with a message demanding money in return for restored access.
Attacks have targeted governments, businesses and individuals. Payments are often requested in the form of cryptocurrency. The perpetrators often threaten to release sensitive data onto the dark web if the ransom is not paid. Estimated losses from such attacks range in the billions.
Vachon-Desjardins formerly worked in information technology for the Canadian government. He became affiliated with a Russia-based group that operated a brand of ransomware known as NetWalker. Data lifted through ransomware attacks was published on a website dubbed the “NetWalker Blog.”
The NetWalker attacks targeted companies, hospitals, schools, law enforcement agencies and emergency services, among others.
Attacks were specifically aimed to extort victims in the health care sector amid the COVID-19 pandemic, according to federal prosecutors. The government counted more than 400 entities that had been attacked in 30 countries.
“The victimization in this case is staggering,” said Assistant U.S. Attorney Carlton Gammons.
On April 30, 2020, Vachon-Desjardins accessed a Tampa company’s computer network, according to a plea agreement. He elevated his privileges within the network and spread ransomware from workstation to workstation.
The next day, a message greeted company employees:
“Hi! Your files are encrypted by NetWalker,” it read. “If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased...”
The message went on to warn not to try to reboot the computer, as doing so would cause the company to lose files. It asked for cooperation to obtain a decypher program that would restore the company’s access to its own network.
Want breaking news in your inbox?
Subscribe to our free News Alerts newsletter
You’re all signed up!
Want more of our free, weekly newsletters in your inbox? Let’s get started.Explore all your options
“For us this is just business,” the message stated.
The ransom note included a code and a URL for a website dubbed the “NetWalker Tor Panel” on the dark web. After entering the code, victims were given a ransom amount and payment instructions.
The Tampa company, which is referred to in court records as “Victim 1,” was demanded to pay $300,000 in bitcoin. The company did not pay the ransom. But they estimated having paid $1.2 million responding to the attack, containing the damage and restoring normal operations.
Investigators identified and seized copies of a server that operated as the back end for the NetWalker website. The server contained transactional information for NetWalker’s developers and more than 100 affiliates. The records showed that victims had paid ransoms totaling about $40 million in bitcoin. Investigators tied Vachon-Desjardins to about $21.5 million that had been extorted from dozens of companies around the world, according to the plea agreement.
On Jan. 27, 2021, the Royal Canadian Mounted Police searched Vachon-Desjardins’ home in Gatineau, Quebec, and safe deposit boxes in his name. He was arrested the same day. In March, he was extradited to the U.S.
He pleaded guilty in July to charges that included conspiracy to commit wire fraud.
“He very much understands what he did was wrong,” said his attorney, Mark O’Brien.
Vachon-Desjardins had never before been in trouble, his lawyer said. He had a good job, two caring and attentive parents, a wife and two dogs.
“He has a life that he ruined as a result of this case,” O’Brien said.
The judge, while complimenting the lawyer’s work, was unequivocal in what he thought of the crimes Vachon-Desjardins committed.
He described it as “digital extortion” through the use of “non-physical force.” He said those who perpetrate ransomware schemes need to expect severe consequences.
“It is bad stuff,” he said. “If you had gone to trial, I would have given you life.”