Europol, the European Union's premier law enforcement agency, has announced the arrest of a third Romanian national for his role as a ransomware affiliate suspected of hacking high-profile organizations and companies and stealing large volumes of sensitive data.
The 41-year-old unnamed individual was apprehended Monday morning at his home in Craiova, Romania, by the Romanian Directorate for Investigating Organized Crime and Terrorism (DIICOT) following a joint investigation in collaboration with the U.S. Federal Bureau of Investigation (FBI).
It's not currently known which ransomware gang the suspect was working with, but the development comes a little over a month after Romanian authorities arrested two affiliates of the REvil ransomware family, who are believed to have orchestrated no fewer than 5,000 ransomware attacks and extorted close to $600,000 from victims.
Affiliates play a key role in the subscription-based ransomware-as-a-service (RaaS) business models, and are chiefly responsible for renting the toolset and the backend infrastructure from the core developers and launching their own attacks against a potential list of targets.
These actors are often recruited by the ransomware operators on underground forums, where their warez are advertised to Russian-speaking users or English speakers with a Russian-speaking guarantor, but only after vetting their technical skills. The affiliates also earn a large share of each successful ransom payment, ranging anywhere between 65% and 90%, making it an increasingly successful and profitable enterprise for cybercriminals.
According to Europol, the suspect is said to have targeted a large Romanian IT company delivering services to clients in the retail, energy and utilities sectors. Subsequently, the affiliate deployed ransomware and siphoned troves of data from the company's customers located in the country and beyond, before proceeding to encrypting the files.
"The information stolen included the companies' financial information, personal information about employees, customers' details and other important documents," Europol said in a statement. "The suspect would then ask for a sizeable ransom payment in cryptocurrency, threatening to leak the stolen data on cybercrime forums should his demands not be met."
Ukraine Arrests 51 For Selling Stolen Data of 300 Million People
In a separate law enforcement action, the Cyberpolice Department of the National Police of Ukraine announced it had arrested 51 people in connection with illegally possessing about 100 databases containing personal information of more than 300 million citizens of Ukraine, Europe, and the U.S.
The databases also included "confidential information on financial and economic activities of individuals and legal entities, information about customers of banking and commercial institutions, authorization data on emails, social networks, online stores and more," the department said in a statement.
Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet's IR Leader!Don't Miss Out – Save Your Seat!
As part of the operation codenamed "DATA," the officials conducted a total of 117 searchers in various parts of the country and shut down an unnamed website that offered the stolen data — such as telephone numbers, names, and, in some cases, vehicle registration information — for sale.
"More than 30 channels of illegal dissemination of information were blocked during the investigation," the agency noted, with Serhiy Lypka, head of the Department for Combating Crimes in the Field of Computer Systems, stating "the cost of databases ranged from 500 to 50,000 hryvnias — depending on its content and commercial value."