hree men have been arrested by Dutch police in connection with ransomware attacks that blackmailed thousands of companies.
The men, who are aged between 18 and 21, are said to have made millions of dollars – typically demanding ransoms of 100,000 Euros, but sometimes reaching a peak of more than 700,000 Euros.
A 21-year-old man from Zandvoort, described by police as the “prime suspect”, is said to have made over €2.5 million (US $2.65 million) during the course of his criminal career.
Tens of millions of pieces of personal information are thought to have been stolen by the malicious hackers, in attacks against organisations both large and small worldwide.
Stolen sensitive information is said to have included not just individuals’ names, addresses, and telephone numbers, but also dates of birth, bank account numbers, credit cards, passwords, license plate details, citizen service numbers, and passport information.
Such data could be exploited by identity thieves and fraudsters to gather further details about individuals, or gain access to accounts.
Even when ransoms were paid to the extortionists, exfiltrated data is said to have still been sold for profit to other cybercriminals via dark web marketplaces.
Surprise – you can’t trust a criminal to keep their word.
Intriguingly, one of those arrested by Dutch police is reported to have been an active member of the Dutch Institute for Vulnerability Disclosure (DIVD), a government-backed group of ethical hackers that hunts for flaws in computer systems.
According to the media, the arrested researcher had access to sensitive information about vulnerable systems, which could have potentially been abused to assist in ransomware attacks.
The Dutch media reports that DIVD said in an internal Slack message that it has found “no indications” that the man abused his access:
“We immediately blocked him and denied him access to our systems. We are just as shocked as everyone else… he was a nice colleague.”
The link with DIVD comes at an inconvenient time, as the group is being considered by the authorities for additional funding, in an attempt to strengthen the country’s cybersecurity defences.