Over the last week, police in Romania arrested five suspects for allegedly spreading CTB-Locker (Curve-Tor-Bitcoin Locker or Citroni) and Cerber ransomware, renting the malware from a ransomware-as-a-service (RaaS) outfit on the Dark Web.
According to Europol, police searched six houses in Romania during “Operation Bakovia”: a joint operation between Romanian and Dutch police and public prosecutors offices, the UK’s National Crime Agency, the FBI, Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT).
The operation was named after Romanian poet George Bacovia.
Below is a video recorded by Romanian police during searches at seven locations. The raids turned up what authorities said was a large haul of hard drives, laptops, external storage devices, cryptocurrency mining computers (you can hear their fans roaring away in the video) and other documents.
The gang is being prosecuted for unauthorized computer access, serious hindering of a computer system, misuse of devices with the intent of committing cybercrimes and blackmail.
If the name CTB-Locker rings a bell, it’s because the ransomware has been around for a while, and it’s come in a few forms. That name was used by the crooks behind a widespread Windows ransomware campaign back in 2014.
CTB-Locker was also the name used for a more recent PHP ransomware that attacked blogs, websites, content managers and more in 2016.
(You can read about the Windows version of CTB-Locker and other ransomware variants in the SophosLabs paper The Current State of Ransomware, published in December 2015.)
Cerber, which first appeared in early 2016, was for a long time the No. 1 ransomware intercepted from customer computers, according to SophosLabs’ recently released 2018 Malware Forecast.
Europol says that early this year, the Dutch High Tech Crime Unit tipped off Romanian authorities about a group of Romanian nationals who were behind a wave of spam that pretended to originate from well-known companies in countries like Italy, the Netherlands and the UK.
The bait was an attachment, typically disguised as an invoice. Opening the attachment on a Windows computer set the ransomware loose to encrypt data files – documents, photos, music, videos, and more – on the infected computer.
As Europol explains it, CTB-Locker was one of the first ransomware variants to use Tor to hide its command and control infrastructure.
Europol says that the operation has identified more than 170 victims from several European countries. All have filed complaints and provided evidence that Europol says should help in prosecutions.
Besides CTB-Locker, two people from the same Romanian gang are also suspected of distributing Cerber ransomware that infected plenty of systems in the US. The United States Secret Service is now investigating those infections.
Investigations into the crooks behind the two ransomware variants were initially separate, but when the Romanian gang was tied to both attacks, it became one investigation. The US issued an international arrest warrant for the two Cerber suspects, after which they were arrested the next day in Bucharest while trying to leave the country.
Operation Bakovia investigators found that the suspects didn’t develop the malware; rather, they got it from developers who charged around 30% of the ill-gained profits. This sort of ransomware-as-a-service “affiliate program” makes inflicting malware easy for crooks who lack cybersmarts.
Defensive measures: ransomware
As we’ve noted before, the best defense against ransomware is not to get infected in the first place. To that end, Sophos has published a guide titled How to stay protected against ransomware that we think you’ll find useful:
You can also listen to our Techknow podcast Dealing with Ransomware: