Five Suspects are Arrested for Distributing Cerber and CTB Locker

Police have arrested five Romanians for spreading two of the most prominent ransomware families

On Wednesday, Romanian authorities have seized three individuals for distributing Curve-Tor-Bitcoin (CTB) locker and two more for the infamous Cerber ransomware spread across Europe and US^[1]. These two of the biggest ransomware strains were offered in Ransomware-as-a-Service (RaaS) portals, and would-be hackers distributed the file-encrypting viruses for giving 30% of the profits to the developers.

CTB Locker, also known as Critroni, was the first ransomware which used Tor browser to hide its command-and-control servers and preserve the anonymity of the criminals. Even though the arrested suspects are not the authors of Cerber and CTB Locker ransomware, these extortionists have helped the crooks to make enormous revenues from innocent victim^[2]:

While CTB Locker helped criminals made $27 million in ransom, Cerber was ranked by Google as the most criminally profitable ransomware that helped them earned $6.9 million up in July 2017.

Operation Bakovia: Europol, FBI and law enforcement agencies were involved

According to the official press release by Europol, the authorities have searched six houses in Romania during the joint operation called Bakovia. The Dutch National Police, UK’s National Crime Agency, FBI and Romanian Police United their forces and carried the investigation.

During the search, multiple devices were found which might be related to the ransomware attacks^[3]:

As a result of the search in Romania, investigators seized a significant amount of hard drives, laptops, external storage devices, cryptocurrency mining devices and numerous documents. The criminal group is being prosecuted for unauthorized computer access, serious hindering of a computer system, misuse of devices with the intent of committing cybercrimes and blackmail.

Ways how criminals distributed Cerber and CTB Locker ransomware

Dutch High Tech Crime Unit reported the Romanian authorities about several citizens sending spam emails with malicious attachments in early 2017. Criminals designed the messages to look like they come from well-known companies situated in countries like the Netherlands, UK, and Italy^[4].

All of the sent emails contained an obfuscate archived invoice attachment which actually held the executable of either CTB Locker or Cerber ransomware. Once the attached file was opened, the malicious program started data encryption which later led to the ransomware demand.

These file-encrypting viruses mainly targeted almost all versions of Windows, including 8, 7, Vista and XP^[5]. Victims could not access the most commonly used files such as photos, documents, music, videos and other valuable information. Since the ransomware employs asymmetric (RSA) encryption to corrupt the data, it is almost impossible to decrypt the files without the individual key.