Five Romanian nationals have been arrested in connection with the CTB-Locker and Cerber file-encrypting ransomware.
CBT-Locker, or Curve-Tor-Bitcoin Locker, also known as Critroni, is one of the larger ransomware families and has been causing Windows users grief since 2015, often spreading through massive spam campaigns.
It hit headlines in early 2015 as a new piece of ransomware that was demanding 3 bitcoin to restore encrypted files.
Security researcher Kafeine discovered CBT-Locker being sold for $3,000 on hacker forums in 2014. The malware scans all hard drives and removal disks to seek out files for encryption. Uniquely at the time, it was using the encrypted network TOR for communications, making it tough for anyone but the criminals to know where the command and control servers were located.
Romanian authorities arrested three people in connection with spreading CBT-Locker in the past week. Two more people were arrested in Romania's capital, Bucharest, in connection with a US investigation into Cerber ransomware.
The arrests are the result of a joint investigation by the Romanian Police, the Romanian and Dutch public prosecutor’s office, the Dutch National Police (NHTCU), the UK’s National Crime Agency, and the FBI. Europe’s EC3 European Cybercrime Centre and Join Cybercrime Action Taskforce also provided support.
Police sized hard drives, laptops, SIM cards, cryptocurrency mining devices and documents. Six houses were raided. They also identified 170 victims across Europe.
The suspects arrested this week didn’t actually develop CTB-Locker but were subscribers to the ransomware server who collected a 30 percent commission on the windfall from extortion. CTB-Locker operators were one of the first to adopt a ransomware-as-a-service business model.
Europol has released a short video of one raid and subsequent arrests, which offers a glimpse of what appears to be a cryptocurrency mining rig.
The NHTCU discovered that Romanian nationals were connected to CTB-ransomware activity after they begun an investigation into a huge spam campaign hit the Netherlands in 2016, according to McAfee, which helped with its investigation. The well-crafted spam contained bogus attached invoices that infected Windows PCs once opened.
NHTCU began investigating CTB-Locker in 2015 due to a large influx of phishing emails that were designed to look like they were from Dutch telco, KPN. In 2016 it also discovered a Dutch server spreading the ransomware. NHTCU found source code for sending phishing email and numerous variants of the ransomeware. It handed the investigation to Romanian police in early 2017.
According to Europol, the US investigation into Cerber was being carried out separately until it was discovered the same group was behind CTB-Locker as well. The two Cerber suspects were arrested in Romania’s capital, Bucharest, while attempting to leave the country.
Investigators are still searching for others involved in spreading the malware and those responsible for building it.