Five Romanian hackers were arrested over the past week in an international cybercrime investigation.

Three of them are suspected of infecting computer systems by spreading the CTB-Locker (Curve-Tor-Bitcoin Locker) malware - a form of file-encrypting ransomware. Meanwhile, two other suspects from the same criminal group were arrested in Bucharest in a parallel ransomware investigation linked to the US, according to Europol. The criminal group is being prosecuted for unauthorised computer access, serious hindering of a computer system, misuse of devices with the intent of committing cybercrimes and blackmail.

During the operation called Bakovia, law enforcement operatives from Romania, the Netherlands, UK and the US have searched six houses in Romania over the past week, seizing hard drives, laptops, external storage devices, cryptocurrency mining devices and numerous documents.

At the beginning of 2017, the Romanian authorities have received information from the Dutch High Tech Crime Unit and other authorities that a group of Romanian nationals were involved in sending spam messages. The spam, which was drafted to look like it was sent from well-known companies in countries like Italy, the Netherlands and the UK, was aimed at infecting computer systems and encrypt their data with the CTB-Locker ransomware also known as Critroni. Each email had an attachment, often in the form of an archived invoice, which contained a malicious file, Europol explained in the press release. Once this attachment was opened on a Windows system, the malware encrypted files on the infected device.

So far, more than 170 victims from several European countries have been identified.

Meanwhile, in addition to the spread of CTB-Locker, two hackers from the same Romanian criminal group are also suspected of distributing the Cerber ransomware. They allegedly infected a large number of computer systems in the US.

“Initially, the CTB-Locker investigation was separate from the Cerber investigation. However, the two were joined when it turned out that the same Romanian group was behind both these attacks. At the time of the actions on CTB-Locker, the two suspects of the Cerber investigation had not yet been located. After the US authorities issued an international arrest warrant for the two suspects, they were arrested the day after in Bucharest while trying to leave the country,” reads the Europol statement.

https://www.youtube.com/watch?v=APg3EuQf23s

Authorities recommend people to not pay the requested ransom if their computer gets infected, but to report the incident to the national police authorities. Also, people can prevent ransonware attacks by regularly backing up the data stores on their computer, keep the systems up to date, and installing an antivirus software. Internet users should never open an attachment received from someone they don’t know, or any odd looking link or email sent by a friend on social media, a company, or online gaming partner.

Irina Marica, irina.marica@romania-insider.com