Five individuals have been arrested as part of an investigation into two major ransomware families – CTB-Locker and Cerber – that spread across Europe and the U.S. in recent years. All suspects were arrested in Romania, Europol announcedWednesday, as six properties were searched as part of a major global police operation involving the FBI and the UK National Crime Agency, as well as Romanian and Dutch investigators.
CTB-Locker was one of the first ransomware strains to use the Tor anonymizing network in order to hide its command and control operations. It was also found by McAfee to be the most widespread ransomware of 2016. Criminals would typically spread it via spam containing an invoice, which, when opened, would attempt to infect Windows PCs. It was based on the code of CryptoLocker, previously one of the most successful ransomware variants around, until a police operation in June 2014 led to its demise, though not before it made $27 million in ransoms.
When the police raided the homes of those they suspected being involved in CTB-Locker in the last week, they inadvertently came across what they claimed was evidence two members of the same gang were spreading Cerber, a ransomware that was focused on extorting money out of Americans. Earlier this year, Google ranked Cerber as the most criminally profitable ransomware around, having made $6.9 million up to July 2017. The two suspects were arrested in Bucharest as they were trying to leave the country, after U.S. authorities issued an international search warrant.
Europol, which helped coordinate the international police operation, released a dramatic video of the arrests, in which armed officers stormed the suspects’ residence.
The Dutch police revealed that cryptocurrency mining equipment was seized, alongside laptops and hundreds of SIM cards. The identities of the individuals arrested were not released, however.
A message to cybercriminals
“Cybercrime is an area of crime like no other, where it is perceived as low risk, and high returns, which contributes greatly to its growth. Today a clear message has been sent that not only addresses this misconception, but emphasizes the value in public-private partnerships,” said Raj Samani, CTO at McAfee, which helped on the investigation, first kicked off by the Dutch High Tech Crime Unit. He noted that since 2015, total ransomware has almost tripled, growing to more than 12 million samples in the third quarter of 2017.
“Moreover, with arrests taking place it sends a message that being involved in cybercrime is definitely not zero risk,” Samani told Forbes. “This is one of the first times we have seen arrests against a major ransomware family so the impact and message is huge.”
It’s been a busy week for law enforcement action against ransomware, in which the U.S. government officially blamed North Korea for WannaCry, which infected masses of global systems, demanding bitcoin in return. It was only when researcher Marcus Hutchins, later arrested and charged with creating the banking malware Kronos, that WannaCry’s spread was stymied.