Five Romanian nationals suspected of being part of a cybercrime group focused on distributing ransomware were arrested last week as part of a global cybercrime crackdown operation.
Three of the individuals are suspected of spreading the CTB-Locker (Curve-Tor-Bitcoin Locker, also known as Critroni) ransomware, while the other two were arrested in a parallel ransomware investigation linked to the United States, Europol has revealed.
Called operation “Bakovia,” the joint investigation was carried out by Romanian Police (Service for Combating Cybercrime), the Romanian and Dutch public prosecutor’s office, the Dutch National Police (NHTCU), the UK’s National Crime Agency, the US FBI with the support of Europol’s European Cybercrime Centre (EC3), and the Joint Cybercrime Action Taskforce (J-CAT).
The Dutch High Tech Crime and other authorities informed the Romanian authorities in early 2017 that a group of individuals were involved in the sending of spam messages that appeared to have been sent by companies in countries like Italy, the Netherlands and the UK.
The spam emails contained what appeared to be an archived invoice that would hide malware inside. As soon as the intended victim would open the attachment, the CTB-Locker ransomware would be dropped and the data on the system would start being encrypted.
First observed in 2014, CTB-Locker was among the first ransomware families to use the Tor network to hide its command and control (C&C) infrastructure. New variants of the ransomware were observed over time, and a “vaccine” was released for it last year.
Targeting systems running Windows versions from XP to 8, the malware can encrypt user’s files asymmetrically, making it difficult to decrypt without a key that the attackers would release only after a ransom was paid.
Two people in the same criminal group are suspected to have been also involved in the distribution of the Cerber ransomware and to have infected a large number of computers in the United States. An investigation into the Cerber ransomware infections is undergoing.
Although the two investigations were separate in the beginning, they were joined when authorities discovered that the same group was behind both. The two suspects in the Cerber investigation hadn’t been located at the time of the actions on CTB-Locker, but were arrested one day after the US authorities issued an international arrest warrant for them.
As part of the operation, investigators searched six houses in Romania and seized a large amount of hard drives, laptops, external storage devices, cryptocurrency mining devices, and numerous documents.
“The criminal group is being prosecuted for unauthorised computer access, serious hindering of a computer system, misuse of devices with the intent of committing cybercrimes and blackmail,” Europol says.
The suspects did not develop the malware themselves, but acquired it from specific developers as part of the Ransomware-as-a-service (RaaS) model. They would launch the infection campaigns and pay around 30% of the profits to the developers. Wide-spread among cybercriminals, this modus operandi provides even wannabe criminals with access to powerful malicious applications.
“Ransomware attacks are relatively easy to prevent if you maintain proper digital hygiene. This includes regularly backing up the data stored on your computer, keeping your systems up to date and installing robust antivirus software. Also, never open an attachment received from someone you don’t know or any odd looking link or email sent by a friend on social media, a company, online gaming partner, etc.,” Europol notes.
Ransomware victims are advised to refrain from paying the ransom, as it would not guarantee the safe recovery of the data.
“Today, a clear message has been sent—involvement in cybercrime is not zero risk. These ransomware families claimed many victims in Belgium, Italy, the Netherlands, and the United States, and the arrests of the actors behind them is a significant takedown operation,” Raj Samani, Chief Scientist at McAfee, the security firm involved in the takedown, told SecurityWeek in an emailed statement.