A Romanian man has been sentenced to 20 years in prison for his involvement in the notorious NetWalker ransomware attacks, which targeted hundreds of victims worldwide, including critical sectors such as healthcare, law enforcement, and education. Daniel Christian Hulea, 30, of Jucu de Mijloc, Cluj, Romania, was also ordered to forfeit $21.5 million in cryptocurrency proceeds and assets tied to a luxury resort property in Bali, Indonesia, which he financed using funds from the ransomware attacks.
Hulea pleaded guilty to computer fraud conspiracy and wire fraud conspiracy in June 2023. According to court documents, he used the sophisticated NetWalker ransomware to extort money from victims, primarily focusing on the healthcare sector during the COVID-19 pandemic. This global cyberattack campaign disrupted hospitals, emergency services, and municipalities, exploiting the crisis to extort millions in ransom payments.
As part of his plea agreement, Hulea admitted to obtaining approximately 1,595 bitcoin from the ransomware attacks, valued at around $21.5 million at the time of payment. In addition to his lengthy prison sentence, Hulea was ordered to pay nearly $15 million in restitution to his victims. The sentence follows Hulea’s arrest in Cluj, Romania, on July 11, 2023, after U.S. authorities requested his extradition. He was subsequently brought to the United States under the extradition treaty between Romania and the U.S.
NetWalker, a type of ransomware often deployed in targeted attacks, has been responsible for some of the most significant cybercrime incidents in recent years. The attack campaign disrupted numerous critical industries, including healthcare providers, municipalities, and schools, causing widespread damage and significant financial losses.
Court documents have shed light on the operations of the notorious NetWalker ransomware group, revealing its “ransomware-as-a-service” model. This structure involves two primary roles: developers and affiliates. Developers are tasked with creating and maintaining the ransomware, while affiliates use it to target high-value victims. Once a victim pays the ransom, the proceeds are split between the developers and the affiliates.
Once a victim’s network is compromised and its data encrypted, the attackers deliver a ransom note, which includes instructions for payment, typically through the Tor network to ensure anonymity. According to the affidavit, attackers often spend days or even weeks silently infiltrating the victim’s network, elevating their access privileges and spreading the ransomware across multiple systems before issuing the ransom demand.
The criminal group gained global attention when, in June 2020, it launched an attack against the University of California, San Francisco (UCSF), a leading medical research institution working on a COVID-19 cure. In response, UCSF’s IT team quickly disconnected infected computers, but the university ultimately paid a $1.14 million ransom after covert negotiations, which were reported by the BBC. These negotiations took place on the dark web, despite advice from law enforcement agencies, including the FBI, Europol, and the UK’s National Cyber Security Centre, urging victims not to pay the ransom.
Law enforcement agencies across the world have targeted the NetWalker gang and its affiliates. Notably, Sebastien Vachon-Desjardins, a key affiliate of the group, was sentenced to seven years in prison in January 2022 after pleading guilty in an Ontario court for his role in the ransomware attacks.
The case highlights the growing global challenge of cybercrime and the use of ransomware to extort millions of dollars from vulnerable organizations, particularly during crises like the pandemic. The authorities’ success in bringing Hulea to justice underscores the international cooperation needed to combat cybercrime and protect victims from these malicious online schemes.
