European and US law enforcers have joined forces to arrest a suspected ransomware affiliate member who targeted firms in an IT supply chain attack.
Europol’s European Cybercrime Centre (EC3) supported the FBI and Romanian National Police in making the arrest at the suspect’s home in Craiova, Romania, in the early hours of yesterday morning.
He’s suspected of targeting a large Romanian IT company that provides services to corporate customers in the retail, energy and utilities sectors.
The individual used this access to deploy crypto-ransomware and steal files from many of those customers located both in Romania and abroad, according to Europol.
Among the data was financial information, personal information on employees and customers, and other important documents.
Using classic double extortion techniques, he then threatened to publish the information on a data leak site unless a ransom was paid. It’s not clear, however, if each individual company was blackmailed or just the original IT provider.
EC3 said it provided analytical, cryptocurrency tracing, malware analysis and forensic support, and sent two experts to Romania to help with seizing cryptocurrency assets and carrying out forensic work.
In May last year, police swooped on a Romanian gang suspected of preparing to launch ransomware attacks on hospitals, with Locky or BadRabbit variants hidden in phishing emails, using COVID-19 information as a lure.
Just last month, Romanian police arrested two individuals suspected of involvement in an affiliate group associated with the infamous REvil gang.
Officers claimed they had been responsible for 5000 attacks which netted half a million euros.
“All these arrests follow the joint international law enforcement efforts of identification, wiretapping and seizure of some of the infrastructure used by Sodinokibi/REvil ransomware family, which is seen as the successor of GandCrab,” said Europol at the time.