The CTB-Locker and Cerber malware are among the world’s leading ransomware families. This action will likely be quantified and catalogued as the largest ransomware related operation. During this law enforcement operation called “Bakovia”, six cases were investigated in Romania as a result of a joint investigation conducted by the Romanian Police (Service to Combat Cybercrime), the Romanian and Dutch Public Prosecutor’s Office, the Dutch National Police (NHTCU), the UK National Crime Agency, the FBI with the support of the Europol European Center for Cybercrime (EC3) and the Joint Cybercrime Action Group (J-CAT). As a result of this investigation, the agents seized a significant amount of hard disks, laptops, external storage devices, mining devices and various documents. Investigations in Romania have resulted in the criminal group’s accusation of misuse of devices with intent to commit cybercrime and blackmail.
Earlier this year, the Romanian authorities obtained detailed information from the Dutch High Technology Crime Unit and other authorities on the activity of a group of Romanian citizens who were involved in sending spam messages. The targets of this spam attack were well-known companies in countries like Italy, the Netherlands and the United Kingdom. The intent of spam messages was very specific: infecting computer systems and encrypting their data with the Ransomware CTB-Locker also known as Critroni.
But what did the messages contain?
According to what was already known, each email had an attachment, often in the form of an invoice, that hid a file with malicious code. Once the attachment was opened on a machine with a Windows operating system, the malware encrypts the files on the infected device. Once infected, all documents, photos, music, videos, etc. on the device were encrypted using asymmetric encryption techniques, which makes it extremely difficult to decrypt the files without the encryption key created by criminals. This type of attack “forced” the victims to pay the ransom, such was the desperation. Many companies, after paying, were given the key to decipher their files. 170 victims have been identified in several European countries till to the date; all have filed complaints and provided evidence that will help prosecute suspects.
Vulnerable Windows systems
The CTB-Locker was first detected in 2014 and was one of the first variants of ransomware to use Tor to hide its command and control infrastructure. It is intended for almost all versions of Windows, including XP, Vista, 7 and 8.
Cerber ransomware in the United States
In addition to the CTB-Locker distribution, two people from the same criminal group in Romania are also suspected of distributing Cerber Ransomware. They are suspected of contaminating a large number of computer systems in the United States. The US Secret Service has subsequently initiated an investigation into Cerber Ransomware infections. This case illustrates the Crime-as-a-Service (CaaS) model since services were offered to any criminal online. The investigation, in this case, revealed that the suspects did not develop the malware themselves but acquired them from specific programmers before launching multiple infection campaigns on their own, having to pay in return about 30% of the profit. This modus operandi is called an affiliate program and is “Ransomware-as-a-service”, representing a form of cybercrime used by criminals primarily on the Dark Web, where criminal tools and services like ransomware are made available by criminals to people with few knowledge on cybernetic issues, bypassing the need for specialized technological skills.
Never pay the ransom
Ransomware attacks are relatively easy to prevent if the user can maintain appropriate “digital hygiene”. This includes regular backup of the data stored on your computer, keeping your systems up to date, and installing robust antivirus software. Also, never open an attachment you receive from someone you do not know or from any strange link or friend sent on social networks by a company, online game partner, etc. If it is infected, we recommend that you do not pay the requested redemption. Most certainly, even paying will never be able to get your files back and will only fund criminal activities. Make a complaint to the national police authorities and give the maximum of detail, do not hide any causes of contagion. This will allow due investigation and enforcement of the law by punishing the criminal groups behind these crimes. So, what do you think about this? Simply share your views and thoughts in the comment section below.