European police take down criminals behind two big ransomware strains

A joint law enforcement efforts has arrest the criminals allegedly behind the CTB-locker and Cerber ransomware strains.

Romanian police announced Wednesday the arrest of three suspects and questioning of six more in an operation against a cybercrime gang that spread two of the most popular ransomware variants in the world.

The arrests, which were carried out last week, were the culmination of a multi-national investigation that began in 2015, according to a statement from the Dutch National High Tech Crime Unit. Other agencies involved included Britain’s National Crime Agency, the FBI, and both Europol’s European Cyber​​Crime Center (EC3) and its Joint Cybercrime Action Taskforce (J-CAT).

Those arrested were linked to two forms of ransomware: CTB-locker and Cerber.

According to Europol, investigators from the Romanian Police Service for Combating Cybercrime seized “a significant amount” of material at the six homes, including “hard drives, laptops, external storage devices, cryptocurrency mining devices and numerous documents.”


The agency said it supported the investigation, known as Operation Bakovia, by “hosting operational meetings, drafting digital forensic and malware analysis reports, collating intelligence and providing analytical support.”

The Dutch statement said that two more suspects linked to the gang were arrested on a separate warrant at the airport in Bucharest two days later on Dec. 15. Those two have been linked by the U.S. Secret Service to Cerber, which is thought to have netted its authors up to $195,000 a month last year.

Initially detected in June 2014, CTB-Locker was one of the first ransomware variants to use the traffic-anonymizing Tor network to hide its command and control infrastructure. The ransomware works on almost all versions of Windows, including XP, Vista, 7 and 8, according to McAfee. The company says that CTB-Locker was the popular form of ransomware in 2016.

McAfee’s Advanced Threat Research team provided technical assistance to the investigation.

The dollar amount attached to ransomware can vary widely, depending whether research is based on tracking ransoms paid or estimating victims’ losses. In 2016, the FBI’s Internet Crime Center received more than 2,500 ransomware complaints from Americans, equalling losses of over $2.4 million. But the center said that fewer than one-in-six such crimes are reported, which would place the actual costs closer to $16 million.


According to Europol, the CTB-Locker case is based on more than 170 victims from several European countries who have filed complaints and provided evidence “that will help with the prosecution of the suspects.”

A breakthrough in the case came last year, Dutch authorities said, when they gained access to a server in the Netherlands sending high-quality spam that spread the malware. “Source code was found on this server for the distribution of phishing [spam] emails as well as a large number of variants of CTB-Locker,” their statement said.

McAfee’s Chief Scientist Raj Samani told CyberScoop via email that the arrests send “a clear message [that] … involvement in cybercrime is not zero risk.”

You can see video of the arrest below.




Shaun Waterman

Written by Shaun Waterman

Contact the reporter on this story via email, or follow him on Twitter @WatermanReports. Subscribe to CyberScoop to get all the cybersecurity news you need in your inbox every day at

Latest Podcasts