Threat Management, Malware, Ransomware

Alleged Collection 1 hacker nabbed; ransomware campaign targeting hospitals disrupted

The Ukrainian Secret Service on Tuesday announced the arrest of a man who they say is the hacker who amassed hundreds of millions of stolen credentials and then used an internet message board to announce their availability as a data set known as Collection 1.

And in another significant win for law enforcement officials, Romania has announced the disruption of a hacker group that allegedly intended to launch ransomware attacks against hospitals during the COVID-19 pandemic.

The Collection 1 suspect allegedly collected roughly 773 million email addresses and approximately 21,000 unique passwords under the user handle Sanix -- and then drew international headlines as a result of the massive size of the breach. However, as pointed out by security expert Brian Krebs in a blog post, the database Sanix assembled was largely a pastiche of old information stolen in previously executed breaches.

A press release from the Security Service of Ukraine (SBU) says Sanix allegedly was in control of at least seven databases containing stolen and broken passwords, and that he also was selling bank card PIN numbers, bitcoin e-wallets, PayPal accounts and information on compromised computers for use in botnet and DDoS attacks.

Officials have not revealed the suspect's actual name, but they do say the arrest was made in or around the Ukrainian city of Ivano-Frankivsk and that they seized computer equipment that proves the man's illegal activities.

In other news, late last week prosecutors with Romania's Directorate for Investigating Organized Crime and Terrorism (DIICOT) announced that they launched an operation to dismantle Pantaguard, a small cybercrime hacking group that formed last January.

DIICOT said that four unidentified individuals operating, under the name Pentaguard, allegedly have committed a series of illegal computer crimes, including SQL injections and defacement, as well as data theft. Targets have included public and governmental institutions and private industry (including banks and education programs) in Romania and Moldova.

Pentagard was allegedly found to be in possession of or developing various forms of malware, including ransomware, crypto lockers and remote access trojans. Notably, DIICOT said the cyber gang members intended to infect Romanian hospitals and health care institutions with ransomware from the Locky or BadRabbit facilities via phishing emails designed to look like they contained government-issued COVID-19 messaging.

"Through this type of attack, there is the possibility of blocking and seriously disrupting the functioning of the IT infrastructures of the respective hospitals, part of the health system which plays a decisive and decisive role at this time to combat the pandemic with the new coronavirus, DIICOT said in a press release.

The crackdown operation involved three separate house searches between Romania and Moldova, DIICOT said.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.