In a joint operation between Romanian police, the Romanian and Dutch public prosecutor’s office, the Dutch National Police, UK’s National Crime Agency, FBI, Europol’s EC3 (European Cybercrime Centre) and Joint Cybercrime Action Taskforce, five Romanians individual were arrested for the spread of CTB-Locker (Curve-Tor-Bitcoin) and Cerber ransomware.

Five arrests made in connection to CTB-Locker and Cerber ransomware families

Arrests were made after Romanian authorities received information from the Dutch High Tech Crime Unit and other authorities about a group involved in sending spam messages. After an investigation, six houses were raided and five individuals were arrested.

“As a result of the searches in Romania, investigators seized a significant amount of hard drives, laptops, external storage devices, cryptocurrency mining devices and numerous documents. The criminal group is being prosecuted for unauthorised computer access, serious hindering of a computer system, misuse of devices with the intent of committing cybercrimes and blackmail,” Europol reports.

All suspects part of the same criminal group

CTB-Locker was first identified in 2014, and is noted to be one of the first ransomware variants to use Tor to hide its command and control infrastructure. Just like most ransomware, it encrypted files such as photos, music, documents, etc. and demanded that victims pay a certain sum of money to get a decryptor.

According to Europol, Romanian authorities received information about a group in Romania, who were sending out sophisticated spam messages, pretending to be from legitimate companies from various countries. The messages contained attachments infected with the CTB-Locker ransomware, and once they were opened on a Windows computer, the malware would initiate and start encrypting files. As a result, three individuals were arrested in connection to the spread of CTB-Locker.

In what was initially thought to be a separate matter, two Romanians were arrested for spreading a different ransomware, Cerber. During the investigation, it was uncovered that the same group was behind both CTB-Locker and Cerber attacks.

The investigation revealed that the suspects taken into custody were spreading the malware, but were not responsible for its creation. Rather, they acquired it from a different developer, who offered the malware as Ransomware-as-a-Service (RaaS) and was taking 30% of the profit. RaaS has been on the rise lately, and is an attractive means of earning money for those who lack the knowledge and experience to make their own ransomware.

Europol warns to not pay the ransom

“Ransomware attacks are relatively easy to prevent if you maintain proper digital hygiene. This includes regularly backing up the data stored on your computer, keeping your systems up to date and installing robust antivirus software. Also, never open an attachment received from someone you don’t know or any odd looking link or email sent by a friend on social media, a company, online gaming partner, etc.,” the report states.

The law enforcement agency warns that paying the ransom will not guarantee restored files, and will only fund future criminal activity. And while it may seem unnecessary to some, it is recommended to report a ransomware infection to police authorities so that they could better deal with the cyber criminals behind it.

When considering whether to pay the ransom or not, there are some things to consider. Paying the ransom is largely discouraged because there is no guarantee that cyber criminals will send a decryption key, so in the end, victims might be wasting money. Instead, before even considering paying, victims should invest in backup. Safely stored copies of your files, in addition to good computer habits, can go a long way towards preventing ransomware and its consequences.

Leave a Reply