[BreachExchange] Romanian hackers arrested in international ransomware investigation

Destry Winant destry at riskbasedsecurity.com
Wed Dec 20 21:58:35 EST 2017 

https://www.washingtonpost.com/local/public-safety/romanian-hackers-arrested-in-international-ransomware-investigation/2017/12/20/44a380b6-e5bc-11e7-833f-155031558ff4_story.html?utm_term=.245a60ba0ef9

Five Romanian hackers were arrested over the past week as part of an
international investigation into computer ransomware, officials in the
United States and Europe said Wednesday.

In six houses across Romania, law enforcement operatives from Romania,
Britain, the United States and the Netherlands seized hard drives,
laptops, external storage devices and documents related to malicious
software called CTB-Locker or Critroini.

The program targets Windows computers with spam designed to look like
invoices from well-known European countries, according to law
enforcement. If the attachment to the fake invoice is downloaded, it
encrypts files on a victim’s computer until a ransom is paid in
bitcoin.

Hackers can earn a cut of ransom profits by helping spread the
malicious software through their own spam campaigns, an “affiliate”
innovation the FBI says CTB-Locker helped pioneer.

The ransomware, first seen in 2014, was also one of the first to use
the anonymizing software Tor to conceal the location of its servers.
CTB stands for Curve-Tor-Bitcoin; Curve is an encryption method.

Three of the arrested individuals will be prosecuted in Romania,
according to the FBI.

Two other suspects were arrested in the Romanian capital, Bucharest,
as part of a parallel investigation, according to Europol. Where they
will be tried has yet to be determined. The European police agency has
identified over 170 victims in its jurisdiction.

The U.S. Attorney’s Office for the District of Columbia is helping
handle the American investigation, but no hackers have yet been
charged in U.S. court, an FBI spokeswoman said.

Timothy R. Slater, the special agent in charge of the FBI’s Washington
Field Office, said in a statement that “these arrests highlight the
value of international cooperation in bringing to justice perpetrators
in a criminal network, wherever they reside.”

More information about the BreachExchange mailing list