{ "id": "d6796ee6-1d16-4195-9131-229448c8c3d0", "created_at": "2026-04-06T00:13:24.473081Z", "updated_at": "2026-04-10T03:20:03.021342Z", "deleted_at": null, "sha1_hash": "9d4ae3fb3d31fd65fc04435aa7f9b5c75e267e9f", "title": "Ransomware Gang Arrested for Spreading Locky to Hospitals", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 58555, "plain_text": "Ransomware Gang Arrested for Spreading Locky to Hospitals\r\nBy Tara Seals\r\nPublished: 2020-05-18 · Archived: 2026-04-05 13:43:47 UTC\r\nA group of four people calling themselves “Pentaguard” were arrested in house raids.\r\nA cybercriminal gang have been arrested for spreading the Locky ransomware among hospitals, among other\r\ncrimes.\r\nIn an operation spearheaded by Romania’s law enforcement department, four people have been taken into custody\r\nafter their houses were raided – three in Romania and one in neighboring Moldova.\r\nProsecutors at the Directorate for Investigating Organized Crime and Terrorism (DIICOT) are charging the group\r\nwith illegal operations with computer devices and programs, illegal access to a computer system, alteration of\r\ncomputer data integrity and computer forgery.\r\nAccording to a media statement from DIICOT [translated with Google Translate], the crime group formed at the\r\nbeginning of the year, calling themselves “Pentaguard.”\r\nThere were two prongs of their operation. First, they used SQL injection to compromise and deface websites,\r\ntargeting websites operated by “several public institutions (institutions of central and local public administration,\r\ngovernment) and private (financial-banking, cultural, education, etc.), in Romania and the Republic of Moldova.”\r\nSecondly, they distributed ransomware like Locky to carry out extortion campaigns; and they spread remote\r\naccess trojans (RATs) to help them steal data. These attacks were directed against several public institutions both\r\nin Bucharest and elsewhere, and more were planned.\r\n“The information we have obtained so far showed that they intended to launch attacks, including ransomware\r\nattacks, in the near future, on some public health institutions in Romania (generally hospitals),” according to the\r\nrelease. They used “social engineering by sending a malicious executable application, from the ‘Locky’ or\r\n‘BadRabbit’ (computer virus) families, hidden in an e-mail and in the form of a file that apparently would come\r\nfrom other government institutions, regarding the threat of COVID-19.”\r\nThe infamous Maze ransomware group and others said that they would back off amidst the coronavirus pandemic\r\n– before coming back in that sector with a vengeance. Overall, healthcare organizations of all stripes continue to\r\nbe attacked.\r\nFor instance, in April, the Clop ransomware group attacked biopharmaceutical company ExecuPharm and leaked\r\n“select corporate and personnel information” on underground forums in what’s known as a double-extortion\r\nattack. ExecuPharm, a Pennsylvania-based subsidiary of the U.S. biopharmaceutical giant Parexel, provides\r\nhttps://threatpost.com/ransomware-gang-arrested-locky-hospitals/155842/\r\nPage 1 of 2\n\nclinical trial management tools for biopharmaceutical companies. The attack was initiated through phishing emails\r\nthat were sent to ExecuPharm employees.\r\n“Through this type of attack, there is the possibility of blocking and severely disrupting the functioning of the IT\r\ninfrastructure of those hospitals, part of the health system, which plays a decisive and decisive role at this time, to\r\ncombat the pandemic with the new coronavirus,” said Romanian officials.\r\nConcerned about the IoT security challenges businesses face as more connected devices run our enterprises,\r\ndrive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join\r\nrenowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE\r\nwebinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new\r\nand growing attack surface. Please register here for this sponsored webinar.\r\nSource: https://threatpost.com/ransomware-gang-arrested-locky-hospitals/155842/\r\nhttps://threatpost.com/ransomware-gang-arrested-locky-hospitals/155842/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://threatpost.com/ransomware-gang-arrested-locky-hospitals/155842/" ], "report_names": [ "155842" ], "threat_actors": [], "ts_created_at": 1775434404, "ts_updated_at": 1775791203, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9d4ae3fb3d31fd65fc04435aa7f9b5c75e267e9f.pdf", "text": "https://archive.orkl.eu/9d4ae3fb3d31fd65fc04435aa7f9b5c75e267e9f.txt", "img": "https://archive.orkl.eu/9d4ae3fb3d31fd65fc04435aa7f9b5c75e267e9f.jpg" } }