Five men accused of distributing CTB-Locker and Cerber ransomware have been arrested by authorities in Romania.

The arrests, made by Romania’s Directorate for Investigating Organized Crime and Terrorism, were undertaken based on intelligence provided by Europol, the Federal Bureau of Investigation, the U.S. Secret Service and Dutch National Police. Authorities have seized a number of laptops, hard drives, SIM cards and cryptocurrency mining equipment as evidence against the accused.

According to a statement from Europol, three of the men arrested were behind a spam campaign that saw them send what appeared to be an archived invoice from a legitimate company. Once a potential victim opened the attachment, the CTB-Locker ransomware would be deployed, with files on the victim’s personal computer rapidly being encrypted.

CTB-Locker is a ransomware variant first detected in 2014 that targets various version of Windows. The ransomware encrypts documents, photos, music, videos and other files asymmetrically making them difficult to decrypt without possession of the private key. A large-scale campaign using CTB-Locker in 2015 timed to coincide with the release of Windows 10 involved the use of emails telling people their Windows 10 download was ready to install but instead saw users download the ransomware. At the time the campaign was attributed to “a gang of cybercriminals,” but it’s not clear whether the five men arrested were the same gang or not.

The other two men, also arrested as part of the investigation and believed to be members of the same Romanian criminal group, are alleged to have distributed Cerber, a form of ransomware that emerged in 2016 but kept evolving through various incarnations during 2017.

In all cases, none of the men arrested is alleged to have coded either Cerber or CTB-Locker. Instead, they’re said to have rented the code from a ransomware-as-a-service provider. “The investigation in this case revealed that the suspects did not develop the malware themselves, but acquired it from specific developers before launching various infection campaigns of their own, having to pay in return around 30 percent of the profit,” Europol said.

RaaS is a form of code distribution that is becoming increasingly popular among cybercriminals. A report from Sophos in November found that more ransomware creators are realizing that they can make more money from selling kits and serviced packages that others can use to distribute their own attacks. Of particular note, they cited Cerber as a classic example of how the spread of ransomware is being powered by RaaS providers.

Image: Maxpixel