Dutch Research Council (NWO) confirmed that the recent cyberattack that forced it to take its servers offline was caused by the DoppelPaymer ransomware gang.

On February 14, Dutch Research Council (NWO) was hit by a cyber attack that compromised its network and impacted its operations.

In response to the incident, the Dutch Research Council (NWO) was forced to take its servers offline.

The attackers stole documents from the NWO and demanded a ransom to avoid leaking them online, but the research council refused to pay.

“On 8 February, the DoppelPaymer hacker group gained access to the NWO network. As part of the Dutch national government, NWO does not address the demands of criminals on grounds of principle. That is why DoppelPaymer started on 24 February to leak internal NWO documents from the past years on the dark web.” reads an update published by the company.

“Although NWO deeply regrets that data of its own employees are now being made public unauthorized, this does not change this choice. This will mean that stolen files may be made public again soon.”

Now the Dutch Research Council (NWO) confirmed that the family of ransomware involved in the attack was DoppelPaymer.

“The Dutch Research Council (NWO Dutch: Nederlandse Organisatie voor Wetenschappelijk Onderzoek) is the national research council of the Netherlands. NWO funds thousands of top researchers at universities and institutes and steers the course of Dutch science by means of subsidies and research programmes. NWO promotes quality and innovation in science. NWO is an independent administrative body under the auspices of the Dutch Ministry of Education, Culture and Science. NWO directs its approximate budget of 1 billion euros towards Dutch universities and institutes, often on a project basis.” states Wikipedia about the organization.

This week, the DoppelPaymer ransomware operators started leaking a batch of files stolen from the NWO network as proof of the hack.

Dutch Research Council (NWO)

The NWO confirmed that the hackers compromised network disks containing the data processed by some internal offices and other organizations such as the TKI-HTSM, TKI Chemie, European Polar Board, and the LNVH.

“The network disks containing the data processed by NWO, the NWO-I office, SIA and NRO. It also contains the mail servers of NWO, office NWO-I, SIA and NRO. Furthermore, links with various external applications have gone wrong or have been closed.” states the organization in FAQ page.

The NWO staff is still working on restoring the operations, the activity is expected to go on for a few weeks.

The list of victims of the DoppelPaymer ransomware is long and includes Bretagne Télécom. Compal, the City of Torrance (California), Hall County in GeorgiaNewcastle University, and PEMEX (Petróleos Mexicanos).

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Dutch Research Council (NWO))

The post Dutch Research Council (NWO) confirms DoppelPaymer ransomware attack appeared first on Security Affairs.