Ransomware gang: successful investigation in the Republic of Moldova

Authorities in the Republic of Moldova have arrested a suspect linked to ransomware attacks on Dutch companies in 2021. This was reported on Monday by the cybersecurity website Bleeping Computer.

According to the report, police officers searched the suspect's home and car last Tuesday and confiscated an electronic wallet, 84,800 euros, two laptops, a cell phone, a tablet, six bank cards and several data storage devices. The arrest was the result of a joint operation by the Moldovan prosecutor's office, the Moldovan Center for Combating Cybercrime and the Dutch law enforcement authorities, writes Bleeping Computer.

Suspect to be extradited

The 45-year-old suspect has been in custody since his arrest; extradition proceedings to the Netherlands are to be initiated. The authorities did not provide any information on his nationality. A press release from the Moldovan police merely refers to a "foreign national temporarily residing in the Republic of Moldova". He is "wanted internationally for committing several cybercrimes (ransomware attacks, extortion and money laundering) against companies based in the Netherlands", it continues.

The man is said to have organized a ransomware attack on the Netherlands Organization for Scientific Research (NWO), the Dutch national scientific organization, in 2021. The NWO made the incident public in mid-February 2021. The attack forced it to shut down its system for applying for funding, it said at the time. The damage caused was estimated at around 4.5 million euros. After the NWO refused to pay the ransom demanded, the attackers published the stolen documents on DoppelPaymer's dark web leak site.

DoppelPaymer in the sights of the authorities

DoppelPaymer is a malware that emerged in 2019 when cybercriminals began using the ransomware Trojan to attack organizations, critical infrastructure and industries. It is based on the BitPaymer ransomware and belongs to the Dridex malware family. According to the European Police Office (Europol), the ransomware uses "a unique tool that is capable of compromising defense mechanisms". Security-relevant processes of the attacked systems are stopped or undermined. As in the NWO case, the captured files are often used by cyber criminals to force ransom payments.

At the end of February 2023, the State Criminal Police Office of North Rhine-Westphalia (LKA NRW) and the Ukrainian National Police conducted raids in Germany and Ukraine against suspected core members of the DoppelPaymer ransomware group. The searches provided the first clues about the people behind the criminal organization. The group is said to be responsible for cyberattacks against the Düsseldorf University Hospital, the Funke media group and the district of Anhalt-Bitterfeld, among others.

In autumn 2023, the LKA NRW reported further searches of masterminds and members of the cyber gang. Although there were already isolated leads on two urgently wanted suspects, Igor Olegovich Turashev (43) and Igor Garshin (34), there is still no trace of them. However, if the age information provided is correct, the man who has now been caught by the authorities in Moldova is not one of them.

(akn)