The Romanian law enforcement authorities arrested four cybercriminals that were planning to launch ransomware attacks on health care organizations in Romania. Three hackers were arrested in Romania and the fourth one was arrested in the Republic of Moldova.
The hackers were charged for committing crimes of illegal operations with computer devices and programs, illegal access to a computer system, alteration of computer data integrity, and computer forgery. According to the Romanian Directorate for Investigating Organized Crime and Terrorism (DIICOT), the threat actors were the members of a hacking group named “PentaGuard,” which was formed at the beginning of the year and created different kinds of malware and malicious tools.
The DIICOT stated that PentaGuard built malware like Remote Access Trojans, ransomware, tools to perform website defacements, and tools to exploit SQL injection vulnerabilities to breach web servers and steal data. The group has been reportedly active since 2000 and has been involved in mass-defacements of several websites of government and private entities. However, from early 2020, PentaGuard stopped website defacements and have remained active on hacking forums.
“The information obtained so far showed that they intended to launch ransomware attacks in the near future, on some public health institutions in Romania, generally hospitals, using a social engineering toolkit and by sending a malicious executable application from the Locky or BadRabbit computer virus families, hidden in an e-mail and in the form of a file that apparently would come from other government institutions, regarding the threat of COVID19. The malicious executable application will then be automatically downloaded to the computer system, producing data encryption and thus disabling the computer platform,” DIICOT said in a statement.
The statement further added that such type of attack techniques disrupt the functioning of the IT infrastructure of hospitals, which play a decisive role in combating the pandemic.
The main intention of the group was the possession and development of malicious computer applications to use them for specific attacks like SQL Injection and defacement, followed by compromising content and, where appropriate, stealing stored computer data.