Over the past week, Romanian authorities have arrested three people suspected of infecting computer systems by spreading the ransomware CTB-Locker (Curve-Tor-Bitcoin Locker). Two other suspects from the same criminal group were arrested in Bucharest in a parallel rescue investigation linked to the United States.
The CTB-Locker and Cerber malware are among the world’s leading ransomware families. This action will likely be quantified and cataloged as the largest ransomware related operation.
During this law enforcement operation called “Bakovia”, six cases were investigated in Romania as a result of a joint investigation conducted by the Romanian Police (Service to Combat Cybercrime), the Romanian and Dutch Public Prosecutor’s Office, the Dutch National Police (NHTCU), the UK National Crime Agency, the FBI with the support of the Europol European Center for Cybercrime (EC3) and the Joint Cybercrime Action Group (J-CAT).
As a result of this investigation, the agents seized a significant amount of hard disks, laptops, external storage devices, mining devices and various documents.
Investigations in Romania have resulted in the criminal group’s accusation of misuse of devices with intent to commit cybercrime and blackmail.
Earlier this year, the Romanian authorities obtained detailed information from the Dutch High Technology Crime Unit and other authorities on the activity of a group of Romanian citizens who were involved in sending spam messages.
The targets of this spam attack were well-known companies in countries like Italy, the Netherlands and the United Kingdom. The intent of spam messages was very specific: infecting computer systems and encrypting their data with the Ransomware CTB-Locker also known as Critroni.
But what did the messages contain?
According to what was already known, each email had an attachment, often in the form of an invoice, that hid a file with malicious code. Once the attachment was opened on a machine with a Windows operating system, the malware encrypted the files on the infected device.
Once infected, all documents, photos, music, videos, etc. on the device were encrypted using asymmetric encryption techniques, which makes it extremely difficult to decrypt the files without the encryption key created by criminals. This type of attack “forced” the victims to pay the ransom, such was the desperation. Many companies, after paying, were given the key to decipher their files.
170 victims have been identified in several European countries to date; all have filed complaints and provided evidence that will help prosecute suspects.