Last week, a cybergang involved in distributing ransomware was arrested by the authorities as part of a global cybercrime crackdown operation.
According to Europol, the gang included five Romanian individuals, three of them suspected of distributing the CTB-Locker (Curve-Tor-Bitcoin Locker, also known as Critroni) ransomware, and the other two arrested in a parallel ransomware investigation related to the United States.
The joint investigation was called “Bakovia,” and it was carried out by the Romanian Police (Service for Combating Cybercrime), the Romanian and Dutch public prosecutor’s office, the Dutch National Police (NHTCU), the UK’s National Crime Agency, the US FBI with the support of Europol’s European Cybercrime Centre (EC3), and the Joint Cybercrime Action Taskforce (J-CAT).
At the beginning of 2017, the Dutch High Tech Crime alongside other authorities informed the Romanian authorities that a group of individuals were involved in distributing spam emails which appeared to have been sent by companies in Italy, the Netherlands and the UK.
The spam messages were disguised as archived invoices hiding malware inside. Once the targeted user would open the attachment, the CTB-Locker ransomware would be dropped and the victim’s data would start being encrypted.
CTB-Locker was first noticed in 2014 and it was among the first ransomware families using the Tor network to hide its command and control (C&C) infrastructure. Over the past few years, some new variants of the ransomware were registered, and last year a “vaccine” for it was released.
Usually, the threat targets systems running Windows versions from XP to 8 and is capable of encrypting user’s files asymmetrically, making it difficult to decrypt without a key which the hackers would release only after the ransom was paid.
Two of the individuals in the same criminal group are suspected to have been involved in the distribution of the Cerber ransomware and to have infected a large number of computers in the United States. The investigation into the Cerber ransomware infections continues.
Despite the fact that the two investigations were separate at first, as soon as the authorities found that the same group was behind both of them, the investigations were joined.
During the operation, the investigators searched six houses in Romania and seized a large amount of hard drives, laptops, external storage devices, cryptocurrency mining devices, and numerous documents.
“The criminal group is being prosecuted for unauthorised computer access, serious hindering of a computer system, misuse of devices with the intent of committing cybercrimes and blackmail,” Europol states.
The attackers acquired the malware from specific developers as part of the Ransomware-as-a-service (RaaS) model. They had to launch the infection campaigns and pay around 30% of the profits to the developers. This modus operandi is wide-spread among cybercriminals and provides even wannabe criminals with access to powerful malicious applications.
“Ransomware attacks are relatively easy to prevent if you maintain proper digital hygiene. This includes regularly backing up the data stored on your computer, keeping your systems up to date and installing robust antivirus software. Also, never open an attachment received from someone you don’t know or any odd looking link or email sent by a friend on social media, a company, online gaming partner, etc.,” Europol notes.
Due to the fact that paying the ransom would not guarantee the safe recovery of the encrypted data, the ransomware victims are advised to refrain from paying it.