Romanian police arrest five on charges of spreading malware across Europe and the US

Accused suspected of propagating CTB-Locker ransomware

Authorities in Romania have spearheaded the arrest of five alleged cyber crooks, accused of hacking into computers and distributing malware across Europe and the US.

Europol claims that the individuals had been distributing CTB-Locker (Curve-Tor-Bitcoin Locker) malware, a form of file-encrypting ransomware.

Europol launched a Europe-wide investigation and arrested two other people in Bucharest, Hungary, who are believed to be members of the same group. They were linked to an investigation in the US.

The law enforcement operation, named Bakovia, saw police search six houses in Romania in a joint investigation between the Romanian Police, the Romanian and Dutch public prosecutor's office, and the Dutch National Police (NHTCU).

As well as this, the UK's National Crime Agency, the US FBI and Europol's European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT) also assisted on the effort.

Officers seized a range of devices, including hard drives, laptops, external storage devices, cryptocurrency mining devices and documents.

The investigators said the crooks face charges of "unauthorised computer access, serious hindering of a computer system, misuse of devices with the intent of committing cybercrimes and blackmail".

Cyber crime specialists came across the first clues earlier this year when they came across a group of individuals sending "spam".

THe Europol statement continues: "In early 2017, the Romanian authorities received detailed information from the Dutch High Tech Crime Unit and other authorities that a group of Romanian nationals were involved in sending spam messages.

"This spam was specifically drafted to look like it was sent from well-known companies in countries like Italy, the Netherlands and the UK.

"The intention of the spam messages was to infect computer systems and encrypt their data with the CTB-Locker ransomware, aka Critroni. Each email had an attachment, often in the form of an archived invoice, which contained a malicious file."

The malware targets Windows devices. "Once this attachment was opened on a Windows system, the malware encrypted files on the infected device," said the investigators.

CTB-Locker was first detected in 2014 and was one of the first ransomware variants to use Tor, an open-source encrypted internet-surfing technology, to hide its command-and-control infrastructure.

It targets almost all versions of Windows, "including Windows XP, Vista, 7 and 8. Once infected, all documents, photos, music, videos, etc. on the device are encrypted asymmetrically, which makes it very difficult to decrypt the files without the private key in possession of the criminals, which might be released when victims pay the ransom," warned Europol.

It continued: "As a result of the law enforcement activities, more than 170 victims from several European countries have been identified to date; all filed complaints and provided evidence that will help with the prosecution of the suspects."