Industry News

Europol releases dramatic video of Romanians arrested for spreading CTB Locker and Cerber ransomware

As part of an extensive law enforcement operation called “Bakovia,” Romanian authorities on Wednesday arrested five individuals suspected of infecting tens of thousands of computers across Europe and the United States using the infamous Ransomware-as-a-Service model leveraging two of the most criminally profitable ransomware strains – CTB Locker and Cerber.

The Europol released a dramatic video of one of six raids in Romania as a result of a joint investigation by Romanian Police, Dutch National Police, the UK’s National Crime Agency and the FBI.

The video shows investigators seizing hard drives, laptops, external storage devices, cryptocurrency mining devices and hundreds of SIM cards, as well as numerous documents incriminating the suspects.

“The criminal group is being prosecuted for unauthorised computer access, serious hindering of a computer system, misuse of devices with the intent of committing cybercrimes and blackmail,” the Europol said.

Operation “Bakovia” reportedly started early this year, when Romanian authorities received detailed information from the Dutch High Tech Crime Unit and other authorities that a group of Romanian nationals was involved in sending spam messages with the purpose of infecting victims’ computers with ransomware.

In a typical infection vector for ransomware attacks, the spam emails were crafted to look like they were sent from well-known companies that victims might be doing business with – i.e. their power utility company. The emails were sent across Italy, the Netherlands, the UK and the US.

“The intention of the spam messages was to infect computer systems and encrypt their data with the CTB-Locker ransomware aka Critroni,” Europol said. “Each email had an attachment, often in the form of an archived invoice, which contained a malicious file. Once this attachment was opened on a Windows system, the malware encrypted files on the infected device.”

CTB-Locker notably uses the Tor anonymity service to hide its command and control (C&C) center and targets almost all versions of Microsoft’s Windows operating system. It encrypts all data on the infected computer and demands a ransom (in the form of cryptocurrency) in exchange for decrypting the data.

More than 170 victims filed complaints, which the Europol says “provided evidence that will help with the prosecution of the suspects.”

The CTB-Locker investigation was separate from the Cerber investigation, but the two were soon combined when investigators found the same Romanian group was behind both attacks. A new investigation into the Cerber ransomware infections targeting the United States is now underway at the United States Secret Service. As part of this investigation, two suspects were arrested this week in Bucharest while trying to flee Romania.

Bitdefender recommends that ransomware victims refrain from paying ransom money in exchange for having their data decrypted, as cybercriminals rarely (if ever) do so. Never open email attachments from sources you do not fully trust. Finally, running a trusted antivirus solution offers the best defense against ransomware.

About the author


Filip is an experienced writer with over a decade of practice in the technology realm. He has covered a wide range of topics in such industries as gaming, software, hardware and cyber-security, and has worked in various B2B and B2C marketing roles. Filip currently serves as Information Security Analyst with Bitdefender.