Operation Bakovia – Romanian authorities arrest 5 individuals for Spreading CTB Locker and Cerber Ransomware

Pierluigi Paganini December 21, 2017

Operation Bakovia – Romanian police arrested 5 individuals suspected of infecting tens of thousands of computers across Europe and the US with Ransomware.

Another success of law enforcement against cybercrime, this time Romanian police have arrested five individuals suspected of infecting tens of thousands of computers across Europe and the United States with Ransomware.
The arrests are part of an international operation tracked as Operation Bakovia conducted by Europol, the FBI and law enforcement agencies from Romanian, Dutch, and the UK.
The suspects have been arrested for spreading the dreaded Cerber and CTB Locker (Curve-Tor-Bitcoin Locker) ransomware, the police arrested them and raided six houses in East Romania last week.

Three suspects were arrested in Romania, the remaining two men belonging to the same organization were arrested in Bucharest as part of a parallel investigation conducted with the help of US authorities.

“During the last week, Romanian authorities have arrested three individuals who are suspected of infecting computer systems by spreading the CTB-Locker (Curve-Tor-Bitcoin Locker) malware – a form of file-encrypting ransomware. Two other suspects from the same criminal group were arrested in Bucharest in a parallel ransomware investigation linked to the US.” states the announcement published by Europol.

“During this law enforcement operation called “Bakovia“, six houses were searched in Romania as a result of a joint investigation carried out by the Romanian Police (Service for Combating Cybercrime), the Romanian and Dutch public prosecutor’s office, the Dutch National Police (NHTCU), the UK’s National Crime Agency, the US FBI with the support of Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT).”

As a result of the investigation, during the raid, the police seized a significant amount of hard drives, external storage, laptops, cryptocurrency mining devices, numerous documents and hundreds of SIM cards.

The suspects are being prosecuted for unauthorized computer access, serious hindering of a computer system, misuse of devices with the intent of committing cybercrimes and blackmail.

The Europol published a video of the arrests that shows the police’s incursion in the suspects’ residence.

CTB Locker, aka Critroni, is based on CryptoLocker, it was the first ransomware to use the Tor anonymizing network to hide the command and control infrastructure.

The Cerber ransomware was first spotted in 2016, it was offered in the criminal underground as a ransomware-as-a-service (RaaS).

“The investigation in this case revealed that the suspects did not develop the malware themselves, but acquired it from specific developers before launching various infection campaigns of their own, having to pay in return around 30% of the profit.”  continues the Europol.

“This modus operandi is called an affiliation program and is “Ransomware-as-a-service”, representing a form of cybercrime used by criminals mainly on the Dark Web, where criminal tools and services like ransomware are made available by criminals to people with little knowledge of cyber matters, circumventing the need for expert technological skills.”

The CTB Locker was the most widespread ransomware in 2016, while Cerber was one of the most profitable ransomware in the criminal ecosystem.

Both ransomware were spread through drive-by-download attacks and phishing campaign.

“In early 2017, the Romanian authorities received detailed information from the Dutch High Tech Crime Unit and other authorities that a group of Romanian nationals was involved in sending spam messages,” Europol said in its press release.“The spam messages intended to infect computer systems and encrypt their data with the CTB-Locker ransomware aka Critroni. Each email had an attachment, often in the form of an archived invoice, which contained a malicious file. Once this attachment was opened on a Windows system, the malware encrypted files on the infected device.”

At the time of publishing the press release, the police did not yet release the identities of the arrested individuals,

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Operation Bakovia, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment