Malware

Dutch Research Council (NWO) confirms DoppelPaymer ransomware attack

Dutch Research Council (NWO) confirmed that the recent cyberattack that forced it to take its servers offline was caused by the DoppelPaymer ransomware gang.

On February 14, Dutch Research Council (NWO) was hit by a cyber attack that compromised its network and impacted its operations.

In response to the incident, the Dutch Research Council (NWO) was forced to take its servers offline.

The attackers stole documents from the NWO and demanded a ransom to avoid leaking them online, but the research council refused to pay.

“On 8 February, the DoppelPaymer hacker group gained access to the NWO network. As part of the Dutch national government, NWO does not address the demands of criminals on grounds of principle. That is why DoppelPaymer started on 24 February to leak internal NWO documents from the past years on the dark web.” reads an update published by the company.

“Although NWO deeply regrets that data of its own employees are now being made public unauthorized, this does not change this choice. This will mean that stolen files may be made public again soon.”

Now the Dutch Research Council (NWO) confirmed that the family of ransomware involved in the attack was DoppelPaymer.

“The Dutch Research Council (NWO Dutch: Nederlandse Organisatie voor Wetenschappelijk Onderzoek) is the national research council of the Netherlands. NWO funds thousands of top researchers at universities and institutes and steers the course of Dutch science by means of subsidies and research programmes. NWO promotes quality and innovation in science. NWO is an independent administrative body under the auspices of the Dutch Ministry of Education, Culture and Science. NWO directs its approximate budget of 1 billion euros towards Dutch universities and institutes, often on a project basis.” states Wikipedia about the organization.

This week, the DoppelPaymer ransomware operators started leaking a batch of files stolen from the NWO network as proof of the hack.

The NWO confirmed that the hackers compromised network disks containing the data processed by some internal offices and other organizations such as the TKI-HTSM, TKI Chemie, European Polar Board, and the LNVH.

“The network disks containing the data processed by NWO, the NWO-I office, SIA and NRO. It also contains the mail servers of NWO, office NWO-I, SIA and NRO. Furthermore, links with various external applications have gone wrong or have been closed.” states the organization in FAQ page.

The NWO staff is still working on restoring the operations, the activity is expected to go on for a few weeks.

The list of victims of the DoppelPaymer ransomware is long and includes Bretagne Télécom. Compal, the City of Torrance (California), Hall County in GeorgiaNewcastle University, and PEMEX (Petróleos Mexicanos).

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Dutch Research Council (NWO))

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Palo Alto Networks fixed multiple privilege escalation flaws

Palo Alto Networks addressed multiple vulnerabilities and included the latest Chrome patches in its solutions.…

5 hours ago

Unusual toolset used in recent Fog Ransomware attack

Fog ransomware operators used in a May 2025 attack unusual pentesting and monitoring tools, Symantec…

8 hours ago

Paraguay Suffered Data Breach: 7.4 Million Citizen Records Leaked on Dark Web

Resecurity researchers found 7.4 million records containing personally identifiable information (PII) of Paraguay citizens on…

21 hours ago

Apple confirmed that Messages app flaw was actively exploited in the wild<gwmw style="display: none; background-color: transparent;"></gwmw>

Apple confirmed that a security flaw in its Messages app was actively exploited in the…

1 day ago

Trend Micro fixes critical bugs in Apex Central and TMEE PolicyServer

Trend Micro fixed multiple vulnerabilities that impact its Apex Central and Endpoint Encryption (TMEE) PolicyServer…

1 day ago