Romanian law enforcement authorities have apprehended a total of five suspects linked with closely related malware attacks. Three of the suspects allegedly infected hundreds of thousands of computer systems across the globe by spreading two particularly destructive families of ransomware—Cerber and CurveTorBitcoin (CTB) Locker malware.
The Cerber ransomware alone infected over 200,000 computers globally in 2016 and raked in an estimated $2 million in annual revenue for hackers. This malware, first discovered three years ago, was one of the first variants of ransomware to use Tor.
Two more suspects were apprehended in Romania under a similar ransomware investigation led by the U.S. Federal Bureau of Investigation.
All arrests are part of a global law enforcement operation by Romanian and Dutch investigators alongside the National Crime Agency in the U.K. and the FBI in the U.S.
The CTB Locker malware, also known by the name “Critroni,” is a form of file-encrypting ransomware which was among the very first ransomware programs to take advantage of the Tor network to mask the command and control servers.
It infects nearly every version of Windows. Once the ransomware enters the system, all documents and files within it are encrypted completely, making it impossible to unlock the files without a private key. The private key might only be released when the ransom demand is paid.
Those who developed the malware began advertising on dark web markets in 2014. It also had an affiliate program that enlisted other hackers to distribute the ransomware in exchange for profit. Later, McAfee labeled it the most impactful malware of the year.
The malware was spread via spam emails that appeared to be sent from companies in the Netherlands, Italy and the U.K. The emails included a malicious file attached which, when opened, would attempt to infect the operating system. It was based on the code of CryptoLocker, previously one of the most successful ransomware variants of all time with more than $25 million in ransom payouts until a 2014 law enforcement operation charged its administrator.
A joint operation codenamed as “Bakovia” was launched, involving Romanian, Dutch, U.K. and U.S. law enforcement agencies. During the operation, agents raided six houses in East Romania and seized several hard drives, external storage, laptops, devices for cryptocurrency mining, numerous documents and hundreds of SIM cards.
The five suspects are charged with accessing devices without proper authorization, infecting computer systems and misusing devices with the intention blackmailing others.
As a result of the coordinated law enforcement operation, more than 200 suspects from several European nations have been unmasked to date. In all filed cases, evidence has been provided to prosecute the suspects.
Sources of the Ransomware
Europol representatives stated there’s a possibility that the suspects didn’t design the malware directly, but instead obtained it from other software developers before deploying the infection campaigns and thereafter sharing the profits accordingly.
The case illustrates the “Ransomware as a Service” trend, a type of cybercrime popular in the dark web. There, ransomware services are readily available to users who may have little experience with cybersecurity.
The service is thought to have low risk but with high returns, which is even higher than the drug industry. This has consequently led to its rapid its growth. Ransomware sales in the dark web increased by 2,502 percent in 2017 alone.
The arrest comes around the same time the U.S. government officially alleged North Korea was responsible for WannaCry, a massive ransomware attack orchestrated last May which infected masses of global systems, demanding Bitcoin in return. This was eventually brought under control after security expert Marcus Hutchins—who was later arrested under unrelated charges for developing a type of banking malware—managed to unintentionally stop the spread of the ransomware to other systems.
Ransomware attacks can be prevented if users implement proven cybersecurity best-practices, including regularly backing up data, updating computer systems and software, and installing a strong up-to-date antivirus software program.
Avoid opening emails and links from unknown and untrusted sources. But just in case your device gets infected, it isn’t wise to give into ransom demands as it’s highly possibly you will not get your files back even after paying. Instead, the initial action to take is to report the attack to law enforcement.