Join us at Binding Hook Live on October 27 at Underbelly Boulevard Soho in London
Join us at Binding Hook Live
Request an invite
Main Logo Expert commentary on tech and security

Ransomware groups are not always out of reach

James Shires / Max Smeets 14 May 2025
Share On:
The arrest of a suspect after a spate of ransomware attacks in the Netherlands is an unusual win for law enforcement, but a more holistic approach is required.
Main Top Image
Screenshot: POLITIA RM/YouTube

Last week, Moldovan authorities arrested a suspect connected to a spate of ransomware attacks in the Netherlands in 2021. During the arrest police seized an electronic wallet likely containing cryptocurrency, multiple laptops and mobile devices, and around 80,000 euros (89,383 USD) in cash. 

Although this arrest took place four years after the initial incidents, it raises a glimmer of hope in the often pessimistic world of ransomware policy – such cyber criminals are usually thought to be simply out of reach of law enforcement. Such law enforcement actions are more regular than often appreciated. However, they can only be truly successful in the context of a holistic counter-ransomware policy that protects the most vulnerable organisations.

Ransomware in the Netherlands

Like most digitally saturated countries, the Netherlands faces a thorny ransomware problem. Along with hostile state actors, cybercriminals using ransomware and other forms of digital extortion are afforded extensive discussion in the 2024 Dutch national cybersecurity assessment. This assessment records 140 to 180 ransomware incidents in the Netherlands in 2023, with discrepancies partly due to reporting processes: higher numbers come from the Dutch data protection authority, where reporting data breaches is mandatory under the EU’s General Data Protection Regulation (GDPR). Lower numbers come from other data collection efforts without a legal mandate to collect reports, which also impose an arbitrary size threshold  excluding small organisations (100 or fewer full-time employees). The actual number of ransomware incidents, especially those affecting small- and medium-sized enterprises and other local entities, is likely to be far higher.

Recent ransomware incidents have caused organisations and their customers to suffer business disruptions, lose data, and incur high remediation costs. A notable incident affecting a maritime services provider forced them to adopt emergency measures on oil rigs and conduct physical supervision of drilling. But ransomware incidents have also had  impacts closer to home. In 2023, ransomware attacks in the Netherlands affected healthcare and elderly care providers, with the latter incident temporarily disabling emergency buttons for elderly patients.

The incidents leading to the recent Moldova arrest involved a ransomware strain known as ‘DoppelPaymer’, which was used most frequently between 2019 and 2021. The cybercriminals behind DoppelPaymer sometimes used aggressive tactics to coerce victims into paying, going so far as to call individuals at victim companies and threaten to turn up at their homes and call their relatives. DoppelPaymer was responsible for serious incidents across several countries, including an attack on a German hospital that may have contributed to a patient’s death.

The most notable DoppelPaymer incident in the Netherlands targeted the Dutch Research Council (NWO) in March 2021. Key servers were compromised and the NWO’s network had to be taken offline. Grant application rounds were suspended mid-stream, email systems went dark, and two affiliated research bodies were also impacted. The NWO attributed this incident to DoppelPaymer and publicly refused to pay any ransom, a stance that led the DoppelPaymer attackers to publish stolen internal documents on the internet. It took weeks for NWO to restore operations, delaying research funding for scientists across the country. 

The tricky problem of ransomware countermeasures

Law enforcement have attempted to disrupt those behind DoppelPaymer before. In February 2023, German and Ukrainian police simultaneously raided the houses of suspected DoppelPaymer cybercriminals in both countries, with follow-up actions later that year. These interventions appeared to be more aimed at finding and prosecuting those responsible rather than active disruption – the DoppelPaymer leak site was only active until March 2021. The law enforcement action in Moldova this week seems to follow a similar logic. 

However, even though DoppelPaymer disappeared, we cannot be sure that the people responsible for it ceased their activity. Ransomware groups frequently change names, branding, tactics and technical infrastructure to stay ahead of law enforcement.

One key aspect of the Moldova arrests is international cooperation, with the press release proudly emphasising ‘operative information and effective cooperation’ between Moldova and the Netherlands (as well as domestic cooperation between the Moldovan Center for Combating Cybercrimes and the National Investigation Inspectorate). Given that ransomware operators are usually spread across multiple countries, and are rarely located in the same country as victims, international cooperation –  including through Europol and Interpol– are crucial to effective response. 

Despite the many difficulties involved, high-profile actions like arrests happen regularly – if not frequently. The Ransomware Countermeasures Tracker, developed by Virtual Routes (Binding Hook’s parent organisation), includes 38 instances of arrests worldwide since 2010, peaking in 2021 with 15 arrests that year. The Netherlands has contributed to 7 arrest operations, of a total of 32 anti-ransomware interventions since 2015. Moldova, on the other hand, had previously only played a small part in an Interpol takedown operation with over 50 countries participating, suggesting that this is a major step forward for countering ransomware in Moldova. 

Post-incident measures can only go so far

Law enforcement operations to track down cybercriminals are crucial  to restoring justice – especially where, as in the Moldova case, extradition procedures have already been started to take the suspect to the Netherlands. These operations also contribute to deterrence, as cybercriminals may be less likely to engage in ransomware if they might be arrested and extradited while travelling or even arrested in their home countries. 

However, effectively combating ransomware also requires pre-emptive action, from takedowns of cybercriminal infrastructure to the often mooted and always controversial topics of payment bans and cyber insurance. Here, smaller organisations – SMEs, nonprofits, and other local community groups – are often left out of ransomware policy discussions. 

At Virtual Routes, we have now extended the Google.org Cybersecurity Seminars program to the Netherlands, to enable university students to help local community organisations defend against ransomware attacks. Over the coming two years, students will gain both practical skills and a deeper understanding of the broader implications of ransomware. Students will work with local community organisations on projects such as phishing simulations, tabletop incident response exercises, decryptor library development and victim support sheets, and network scanning to identify vulnerabilities. Together, these efforts will help to better secure under-resourced and highly vulnerable local communities in the Netherlands against ransomware, while providing practical experience to tomorrow’s cybersecurity professionals.

avatar
James Shires
avatar
Max Smeets

Related

Featured image
Hooked On Trends
Responsible tech business in conflict
Isabel Ebert / Timothy Charlton-Czaplicki 8 March 2024
Read more arrow
Featured image
Hooked On Trends
Bureaucratic initiative redefines German law enforcement cyber operations
Jakob Bund 15 August 2024
Read more arrow
Featured image
Hooked On Trends
Hooked! #3: Cyberattacks on UK retailers raise questions about food security
Katharine Khamhaengwong 20 May 2025
Read more arrow

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.