Connect with us

Hi, what are you looking for?



Authorities Dismantle Ransomware Cybergang

Five Romanian nationals suspected of being part of a cybercrime g

Five Romanian nationals suspected of being part of a cybercrime group focused on distributing ransomware were arrested last week as part of a global cybercrime crackdown operation.

Three of the individuals are suspected of spreading the CTB-Locker (Curve-Tor-Bitcoin Locker, also known as Critroni) ransomware, while the other two were arrested in a parallel ransomware investigation linked to the United States, Europol has revealed.

Called operation “Bakovia,” the joint investigation was carried out by Romanian Police (Service for Combating Cybercrime), the Romanian and Dutch public prosecutor’s office, the Dutch National Police (NHTCU), the UK’s National Crime Agency, the US FBI with the support of Europol’s European Cybercrime Centre (EC3), and the Joint Cybercrime Action Taskforce (J-CAT).

The Dutch High Tech Crime and other authorities informed the Romanian authorities in early 2017 that a group of individuals were involved in the sending of spam messages that appeared to have been sent by companies in countries like Italy, the Netherlands and the UK.

The spam emails contained what appeared to be an archived invoice that would hide malware inside. As soon as the intended victim would open the attachment, the CTB-Locker ransomware would be dropped and the data on the system would start being encrypted.

First observed in 2014, CTB-Locker was among the first ransomware families to use the Tor network to hide its command and control (C&C) infrastructure. New variants of the ransomware were observed over time, and a “vaccine” was released for it last year.

Targeting systems running Windows versions from XP to 8, the malware can encrypt user’s files asymmetrically, making it difficult to decrypt without a key that the attackers would release only after a ransom was paid.

Advertisement. Scroll to continue reading.

Two people in the
same criminal group are suspected to have been also involved in the distribution of
the Cerber ransomware and to have infected a large number of computers in the United States. An investigation into the Cerber ransomware infections is undergoing.

Although the two investigations were separate in the beginning, they were joined when authorities discovered that the same group was behind both. The two suspects in the Cerber investigation hadn’t been located at the time of the actions on CTB-Locker, but were arrested one day after the US authorities issued an international arrest warrant for them.

As part of the operation, investigators searched six houses in Romania and seized a large amount of hard drives, laptops, external storage devices, cryptocurrency mining devices, and numerous documents.

“The criminal group is being prosecuted for unauthorised computer access, serious hindering of a computer system, misuse of devices with the intent of committing cybercrimes and blackmail,” Europol says.

The suspects did not develop the malware themselves, but acquired it from specific developers as part of the Ransomware-as-a-service (RaaS) model. They would launch the infection campaigns and pay around 30% of the profits to the developers. Wide-spread among cybercriminals, this modus operandi provides even wannabe criminals with access to powerful malicious applications.

“Ransomware attacks are relatively easy to prevent if you maintain proper digital hygiene. This includes regularly backing up the data stored on your computer, keeping your systems up to date and installing robust antivirus software. Also, never open an attachment received from someone you don’t know or any odd looking link or email sent by a friend on social media, a company, online gaming partner, etc.,” Europol notes.

Ransomware victims are advised to refrain from paying the ransom, as it would not guarantee the safe recovery of the data.

“Today, a clear message has been sent—involvement in cybercrime is not zero risk. These ransomware families claimed many victims in Belgium, Italy, the Netherlands, and the United States, and the arrests of the actors behind them is a significant takedown operation,” Raj Samani, Chief Scientist at McAfee, the security firm involved in the takedown, told SecurityWeek in an emailed statement.

Related: Ransomware: Where It’s Been and Where It’s Going 

Related: Fake Windows 10 Upgrade Emails Hide Ransomware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...