A Romanian man accused of using ransomware to target “high-profile” organizations and companies was arrested Monday as part of a joint operation between the Romanian National Police, the FBI, and Europol.
The man — identified only as a 41-year-old living in Craiova, Romania — is accused of compromising an unnamed Romanian IT services company with clients in the retail, energy and utilities sectors, according to a Europol statement posted to the agency’s website.
He then used that access to deploy ransomware and steal sensitive data from the IT company’s clients in Romania and abroad, before encrypting the files. The stolen data included financial information, personal information regarding employees and customers and other important documents.
The man then asked for a “sizeable ransom payment in cryptocurrency,” the Europol statement read, with the threat of posting the stolen data on cybercrime forums.
Allan Liska, the director of threat intelligence at cybersecurity firm Recorded Future, said Monday that based on the available information, this “appears to have been a one-off, not a traditional ransomware affiliate model.” It’s unclear whether the man was an insider threat, or had figured out how to break into the IT company’s network, Liska said.
“I’m intrigued by the use of extortion without the traditional extortion site,” Liska added, referring to the common ransomware attackers’ practice of posting samples of stolen data to websites to pressure victims into paying. “How often does this happen? Are there a lot more ransomware attacks we never see because they are set up like this, a one-off attack by someone outside the affiliate system who doesn’t have access to an extortion site?”
The FBI did not immediately respond to a request for comment about its role in the operation.
Monday’s arrest comes roughly a month after Romanian authorities, Europol and other law enforcement agencies around the world announced the arrest of two cybercrime suspects accused of launching 5,000 ransomware attacks using the REvil/Sodinokibi malware, until recently one of the most commonly used strains of ransomware. That operation coincided with the U.S. Department of Justice’s seizure of $6 million in ransomware payments and charges against Yevgeniy Polyanin, a Russian national, and Ukrainian national Yaroslav Vasinsky, for operations involving REvil ransomware.