Cyber Threat Actor: John Vanderwolfe
| Actor Type | Location | Known Incidents |
Criminal
|
United Kingdom
|
1 incident |
|---|
Profile
John Vanderwolfe is an alias used by a threat actor known to operate from the United Kingdom. The actor came to public attention following a ransomware incident on 3 February 2017 that affected a town council in Devon. The incident was reported by the BBC, highlighting the disruption caused to local government services. According to reports, an employee of the council opened a malicious email that was disguised as a parcel delivery notification. The email contained a payload that executed ransomware, encrypting files on the council’s network. As a result, all documents created over the previous year were lost, except for finance and planning records stored separately. The attack forced the council to halt normal administrative functions and required months of rescanning correspondence to restore operations.
The ransomware used in the Devon incident demanded payment in exchange for a decryption key, which the council refused to pay due to uncertainty about successful data recovery. Law‑enforcement agencies provided mitigation advice to the affected council and alerted neighboring local authorities about the ongoing threat. No specific malware family or toolset was disclosed in the public reporting, so the actor’s tooling style remains undefined beyond the use of ransomware delivered via phishing. The observed initial‑access vector—a deceptive email masquerading as a legitimate delivery notice—represents the only confirmed technique associated with John Vanderwolfe. To date, this Devon council attack is the sole publicly documented operation attributed to the alias, and no broader affiliations or campaign history have been established. Consequently, the profile of John Vanderwolfe is limited to the single ransomware event described above.
