Law enforcement in Romania today arrested a group of individuals that were planning ransomware attacks against healthcare institutions in the country.

Three were arrested in Romania and a fourth in the Republic of Moldova after executing home search warrants. Ironically, the group operated under the name PentaGuard Hackers Crew.

Big plans

In a press release today, the Romanian Directorate for Investigating Organized Crime and Terrorism (DIICOT) said that the group was formed at the beginning of the year and stored on their computers a variety of malicious tools.

Wiz

Authorities say that PentaGuard had file-encrypting malware, remote access trojans (RATs), tools for SQL injection and website defacement attacks.

According to DIICOT, the group’s plans for the near future was to deploy ransomware attacks by leveraging Bad Rabbit and Locky ransomware strains first reported in 2017 and 2016.

Their targets would have been hospitals and healthcare organizations in Romania. The attackers would have planted malware in emails pretending to be from government institutions sending COVID-19 information.

Old habits die hard

Although DIICOT says that PentaGuard was established at the beginning of the year, some members of the group have been active since at least February 2000, when they engaged in website defacement. For 10 years they kept defacing various websites smearing them with silly messages.

At the beginning of the year, PentaGuard resurfaced as a group with fewer members and resumed their defacement activity but this time they appear to have an agenda: legalizing sex work in Romania.

Among its victims this year were the websites of a county council and the Romanian Court of Accounts.

It is unclear what made PentaGuard move from defacement to ransomware attacks, which is a huge step, but national media reports that this would have been a protest against the country-wide restrictions imposed due to the new coronavirus pandemic.

By the looks of it, PentaGuard was far from ready to run ransomware operations, even on a small scale. They were bragging online about their illegal activity, occasionally leaving their location turned on.

Apart from posts about defacing websites, they also published images with illegal substances and messages about their plan to attack the government of Romania. In one post taunting the Romanian police, PentaGuard said they were trying to change the mentality of the government.

A friend of PentaGuard, a Brazilian miner using the online name VandaTheGod, was arrested in November 2019 for stealing credit card information from several retail companies. He was also defacing websites.

tines

Break down IAM silos like Bitpanda, KnowBe4, and PathAI

Broken IAM isn't just an IT problem - the impact ripples across your whole business.

This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.

Related Articles:

US cybersecurity experts plead guilty to BlackCat ransomware attacks

Romanian energy provider hit by Gentlemen ransomware attack

Romanian water authority hit by ransomware attack over weekend

University of Phoenix data breach impacts nearly 3.5 million individuals

Interpol-led action decrypts 6 ransomware strains, arrests hundreds