As part of an extensive law enforcement operation called “Bakovia,” Romanian authorities on Wednesday arrested five individuals suspected of infecting tens of thousands of computers across Europe and the United States using the infamous Ransomware-as-a-Service model leveraging two of the most criminally profitable ransomware strains – CTB Locker and Cerber.
The Europol released a dramatic video of one of six raids in Romania as a result of a joint investigation by Romanian Police, Dutch National Police, the UK’s National Crime Agency and the FBI.
The video shows investigators seizing hard drives, laptops, external storage devices, cryptocurrency mining devices and hundreds of SIM cards, as well as numerous documents incriminating the suspects.
“The criminal group is being prosecuted for unauthorised computer access, serious hindering of a computer system, misuse of devices with the intent of committing cybercrimes and blackmail,” the Europol said.
Operation “Bakovia” reportedly started early this year, when Romanian authorities received detailed information from the Dutch High Tech Crime Unit and other authorities that a group of Romanian nationals was involved in sending spam messages with the purpose of infecting victims’ computers with ransomware.
In a typical infection vector for ransomware attacks, the spam emails were crafted to look like they were sent from well-known companies that victims might be doing business with – i.e. their power utility company. The emails were sent across Italy, the Netherlands, the UK and the US.
“The intention of the spam messages was to infect computer systems and encrypt their data with the CTB-Locker ransomware aka Critroni,” Europol said. “Each email had an attachment, often in the form of an archived invoice, which contained a malicious file. Once this attachment was opened on a Windows system, the malware encrypted files on the infected device.”
CTB-Locker notably uses the Tor anonymity service