During the last week, Romanian authorities have arrested three individuals who are suspected of infecting computer systems by spreading the CTB-Locker (Curve-Tor-Bitcoin Locker) malware - a form of file-encrypting ransomware. Two other suspects from the same criminal group were arrested in Bucharest in a parallel ransomware investigation linked to the US.
During this law enforcement operation called "Bakovia", six houses were searched in Romania as a result of a joint investigation carried out by the Romanian Police (Service for Combating Cybercrime), the Romanian and Dutch public prosecutor’s office, the Dutch National Police (NHTCU), the UK’s National Crime Agency, the US FBI with the support of Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT).
As a result of the searches in Romania, investigators seized a significant amount of hard drives, laptops, external storage devices, cryptocurrency mining devices and numerous documents. The criminal group is being prosecuted for unauthorised computer access, serious hindering of a computer system, misuse of devices with the intent of committing cybercrimes and blackmail.
In early 2017, the Romanian authorities received detailed information from the Dutch High Tech Crime Unit and other authorities that a group of Romanian nationals were involved in sending spam messages. This spam was specifically drafted to look like it was sent from well-known companies in countries like Italy, the Netherlands and the UK. The intention of the spam messages was to infect computer systems and encrypt their data with the CTB-Locker ransomware aka Critroni. Each email had an attachment, often in the form of an archived invoice, which contained a malicious file. Once this attachment was opened on a Windows system, the malware encrypted files on the infected device.
CTB-Locker was first detected in 2014 and was one of the first ransomware variants to use Tor to hide its command and control infrastructure. It targets almost all versions of Windows, including XP, Vista, 7 and 8. Once infected, all documents, photos, music, videos, etc. on the device are encrypted asymmetrically, which makes it very difficult to decrypt the files without the private key in possession of the criminals, which might be released when victims pay the ransom.
As a result of the law enforcement activities, more than 170 victims from several European countries have been identified to date; all filed complaints and provided evidence that will help with the prosecution of the suspects.
Cerber ransomware in United States
In addition to the spread of CTB-Locker, two people within the same Romanian criminal group are also suspected of distributing the Cerber ransomware. They were suspected of contaminating a large number of computer systems in the United States. The United States Secret Service has subsequently started an investigation into the Cerber ransomware infections.
Initially, the CTB-Locker investigation was separate from the Cerber investigation. However, the two were joined when it turned out that the same Romanian group was behind both these attacks. At the time of the actions on CTB-Locker, the two suspects of the Cerber investigation had not yet been located. After the US authorities issued an international arrest warrant for the two suspects, they were arrested the day after in Bucharest while trying to leave the country.
This case illustrates the Crime-as-a-Service (CaaS) model, as the services were offered to any criminal online.
The investigation in this case revealed that the suspects did not develop the malware themselves, but acquired it from specific developers before launching various infection campaigns of their own, having to pay in return around 30% of the profit. This modus operandi is called an affiliation program and is "Ransomware-as-a-service", representing a form of cybercrime used by criminals mainly on the Dark Web, where criminal tools and services like ransomware are made available by criminals to people with little knowledge of cyber matters, circumventing the need for expert technological skills.
Europol supported the investigation by hosting operational meetings, drafting digital forensic and malware analysis reports, collating intelligence and providing analytical support. The participating countries worked together in the framework of the EMPACT project targeting cyber-attacks that affect critical infrastructure and information systems in the EU. On the action day, forensic support was provided during the house searches with the intention of analysing data extracted from electronic devices and providing immediate results.
Never pay the ransom
Ransomware attacks are relatively easy to prevent if you maintain proper digital hygiene. This includes regularly backing up the data stored on your computer, keeping your systems up to date and installing robust antivirus software. Also, never open an attachment received from someone you don’t know or any odd looking link or email sent by a friend on social media, a company, online gaming partner, etc.
If you do get infected, we advise you not to pay the requested ransom. It will not get you your files back and you will be funding criminal activity. We recommend you always report the infection to your national police authorities, as this will enable law enforcement to better tackle the criminal groups behind it.
More prevention advice is available on www.nomoreransom.org.