Full Report
Moldovan law enforcement authorities have arrested a 45-year-old foreign man suspected of involvement in a series of ransomware attacks targeting Dutch companies in 2021. "He is wanted internationally for committing several cybercrimes (ransomware attacks, blackmail, and money laundering) against companies based in the Netherlands," officials said in a statement Monday. In conjunction with the
Analysis Summary
# Incident Report: DoppelPaymer Ransomware Attack on Dutch Research Agency
## Executive Summary
A 45-year-old foreign man was arrested in Moldova in connection with multiple ransomware attacks against Dutch entities dating back to 2021, including a significant incident against the Netherlands Organization for Scientific Research (NWO). The attack on NWO, attributed to the DoppelPaymer ransomware group, resulted in operational disruption, the theft of internal documents, and material damages estimated at €4.5 million. The arrest was the result of international law enforcement coordination.
## Incident Details
- Discovery Date: Not explicitly stated, but the primary attack occurred in **February 2021**.
- Incident Date: **February 2021** (for the NWO incident). Arrest occurred around May 2025.
- Affected Organization: Netherlands Organization for Scientific Research (NWO).
- Sector: Scientific Research/Government/Education.
- Geography: Netherlands (Victim), Moldova (Arrest Location).
## Timeline of Events
### Initial Access
- Date/Time: **February 2021**
- Vector: Ransomware deployment (DoppelPaymer). Specific initial vector (e.g., phishing, vulnerability) is not disclosed.
- Details: The attacker gained access leading to the deployment of DoppelPaymer ransomware.
### Lateral Movement
- Not explicitly detailed, but the ransomware **blocked network drives**, indicating significant access and effect across the network infrastructure.
### Data Exfiltration/Impact
- Date/Time: Following the ransom refusal.
- Details: The attacker **stole some internal files** and leaked them after NWO refused to pay the ransom demand. **Network drives were blocked**, rendering documents inaccessible.
### Detection & Response
- Detection: NWO disclosed the incident at the time the files were published in 2021.
- Response actions taken: NWO refused to pay the ransom demand on principle. The arrest of the suspect occurred in May 2025 following international investigation.
## Attack Methodology
- Initial Access: **Ransomware infection** (attributed to DoppelPaymer).
- Persistence: Not detailed.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed.
- Credential Access: Not detailed.
- Discovery: Not detailed.
- Lateral Movement: **Network drive blocking** indicates successful internal spread.
- Collection: **Theft of internal documents** prior to encryption/locking.
- Exfiltration: **Data leakage/publication** following ransom refusal.
- Impact: **Data encryption/disruption** (inaccessible documents) and **data leakage**.
## Impact Assessment
- Financial: Estimated material damage worth **€4.5 million** associated with the NWO attack.
- Data Breach: **Internal documents** were stolen and leaked.
- Operational: **Network drives were blocked**, causing disruption to operations.
- Reputational: Significant public disclosure regarding the compromise of a major research institution.
## Indicators of Compromise
- *Note: Specific IoCs are not provided in the summary text, but the ransomware family is known.*
- Network indicators: Based on activity linked to the DoppelPaymer operation.
- File indicators: **DoppelPaymer** ransomware artifacts (encryption/ransom notes).
- Behavioral indicators: Use of ransomware to encrypt network drives and subsequent exfiltration/leakage of data.
## Response Actions
- Containment: Implied cessation of access following the 2021 incident, and subsequent international investigation.
- Eradication: Not detailed in the context of the 2021 response, but implied by system restoration.
- Recovery actions: NWO restored systems without paying the ransom. The major recovery action detailed here is the **arrest** of a suspect years later.
## Lessons Learned
- Ransomware negotiations are often futile: NWO's principled refusal to pay did not prevent data leakage but may have influenced the path to recovery.
- International cooperation is crucial: The subsequent arrest demonstrates the long-term investigative effort required to prosecute such actors.
- Previous successful disruption: The article notes European law enforcement had previously targeted core DoppelPaymer members (March 2023), suggesting targeted disruption campaigns were ongoing.
## Recommendations
- Enhance endpoint detection and response capabilities specific to known ransomware families like DoppelPaymer.
- Implement robust, segmented backups disconnected from the main network to minimize recovery time following encryption events.
- Review data handling and access controls to limit the sensitivity of data accessible via network shares that could be targeted for exfiltration.