Five arrested in Romania for spreading notorious CTB Locker and Cerber ransomware in US, Europe

Five suspected hackers have been arrested for allegedly spreading the notorious CTB Locker and Cerber ransomware strains across the US and Europe. Romanian authorities arrested three suspects linked to the CTB (Curve-Tor-Bitcoin) Locker malware while two other suspects from the same criminal group were arrested in Bucharest for spreading Cerber ransomware, Europol said.

In an operation code-named "Bakovia" – named after the Romanian poet George Bakovia – Romanian police searched six houses and seized the group's computer hardware including hard drives, external storage devices, cryptocurrency mining devices, hundreds of sim cards as well as numerous documents.

While the five suspects did not design the malicious software themselves, they are believed to have paid the developers behind the ransomware around 30% of the profit.

They are currently being prosecuted for "unauthorised computer access, serious hindering of a computer system, misuse of devices with the intent of committing cybercrimes and blackmail".

The arrests were the result of a joint investigation carried out by the Romanian Police, Dutch, UK and US authorities with assistance from Europol and cybersecurity firm McAfee.

CTB Locker, also known as Critroni, is one of the largest known ransomware families. The developers behind the malicious malware began to advertise in on the underground market for a cost of $3,000 (£2,245) in June 2014. It was also offered in an affiliate program that allowed other hackers to enlist and distribute the ransomware in exchange for a slice of the profits.

The malware was spread via spam emails that purported to come from well-known companies in Italy, the Netherlands and the UK, but included a malicious document attached.

It was also one of the first ransomware variants to use Tor to hide its C&C infrastructure. Targeting nearly all versions of Windows, including XP, Vista, 7 and 8, the malware encrypts all files on the infected device asymmetrically, making it even more difficult to decrypt the files without the private key provided by the hackers in exchange for a ransom.

Europol said more than 170 victims from several European countries have been identified so far.

Cerber, on the other hand, targeted computer systems in the US and infected over 150,000 computers globally in 2016, security firm Check Point said. Researchers found that the ransomware ran more than 160 active campaigns worldwide, generating an annual projected revenue of about $2.3m for hackers.

"This case illustrates the Crime-as-a-Service (CaaS) model, as the services were offered to any criminal online," Europol said in a statement. "This modus operandi is called an affiliation program and is 'Ransomware-as-a-service', representing a form of cybercrime used by criminals mainly on the Dark Web, where criminal tools and services like ransomware are made available by criminals to people with little knowledge of cyber matters, circumventing the need for expert technological skills."