Caleb Boma | February 26th, 2021

According to BleepingComputer, the recent cyberattack that forced the Dutch Research Council (NWO) to take its servers offline and suspend grant allocation processes was caused by the DoppelPaymer ransomware gang. The hackers gained access to NWO’s network on February 8 and stole internal documents, threatening with leaking them unless the organization paid a ransom. Since NWO does not cooperate with cybercriminals, DoppelPaymer published proof of the stolen internal data on their leak site. This tactic is typical to ransomware gangs and the purpose is to pressure victims into paying the ransom.

NWO is the main body that funds researchers at universities and institutes in the Netherlands, making annual investments of up to one billion euros. The organization announced on February 14 that its network had been hacked, without providing details regarding the incident, only about the impact it has on its activity. On Wednesday, the DoppelPaymer ransomware gang leaked a dozen files stolen from NWO’s servers to show that they have a larger cache and are still open to negotiations.

In an update on the incident yesterday, the organization says that the hackers have internal NWO documents from the past years that include details about its employees. This does not change its decision not to pay the hackers.


DoppelPaymer ransomware group has been very active lately and has caused problems for many different organizations. In fact, DoppelPaymer requested a $20 million ransom from Kia Motors America after an attack earlier this week. In addition to the ransom request, Kia had some customers who were not able to make purchases successfully which is directly affecting their ability to maximize profit and keep their customers satisfied.

Fortunately, SpearTip has an enterprise solution for combating these malicious threats. Our ShadowSpear® Platform has the ability to detect and stop DoppelPaymer ransomware from running malicious executables on your organization’s machines. In addition to our response tool, the Security Operations Center with

SpearTip’s cyber experts continuously monitor environments 24/7 in our US based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have a direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you are experiencing a breach, please call our Security Operations Center at 833.997.7327.