A Romanian affiliate suspected of being involved in ransomware attacks on multiple high-profile companies worldwide, including a large Romanian IT firm with clients from the retail, energy, and utilities sectors, was arrested by Romanian law enforcement authorities. The suspect, a 41-year-old Romanian national, was apprehended at his home in Craiova by the Romanian Directorate for Investigating Organized Crime and Terrorism (DIICOT) and judicial police officers. He is accused of unauthorized access to a computer system, unauthorized transfer of computer data, illegal interception of a computer transmission, and blackmail.
The suspect gained access to the computer networks of several companies, including those in Romania and other countries, and extracted large volumes of data. He then demanded a sizeable ransom payment in cryptocurrency and threatened to leak the stolen data on cybercrime forums if his demands were not met. The Romanian National Police reported that the suspect stole various sensitive information, including companies’ financial information, employees’ personal information, and customers’ details.
The investigation was carried out in the European Multidisciplinary Platform Against Criminal Threats (EMPACT) framework, with the FBI and Europol’s EC3 providing assistance. It is not yet known which ransomware gang the suspect was working with, but his arrest follows the arrest of two Sodinokibi/REvil ransomware affiliates in November.
The recent arrests of ransomware affiliates demonstrate that law enforcement worldwide is disrupting Ransomware-as-a-Service (RaaS) operations by apprehending affiliates located all over the world. Although the core ransomware gang operators remain safe in Russia, the crackdown on ransomware activity is expected to continue.