Romanian law authorities have arrested five suspected members of an internet-based ransomware gang responsible for infecting tens of thousands of computers across Europe, the United States and Canada, Europol said on Wednesday.
Romanian police nabbed three members — believed to be operating in the country’s east — while two other members were arrested in Bucharest over the past week, Europe’s law enforcement agency said.
“It’s the first arrests for (using) this kind of ransomware in about five years,” Europol spokeswoman Claire Georges said.
Police searched six homes and seized “a significant amount of hard drives, laptops, external storage and crypto-currency devices and documents,” she added.
The gang is accused of using sophisticated software obtained from developers on the anonymous “dark web” to infect at least 30,000 computers across Europe, the United States and Canada, Georges said.
She said that 30,000 was a “conservative estimate” of the number of users believed to have paid a ransom. “We calculated that some $9 million dollars (7.5 million euros) in bitcoin payments were made at the time,” she added.
The gang used ransomware called “CTB Locker” and “Cerber” which spread as an attachment via emails designed to look like they were from trusted sources such as Microsoft, Facebook and Google Chrome, a Europol cybercrime specialist said.
Once opened, the software infects a computer and encrypts virtually all files, forcing the user to pay a ransom before the information is released.
“They even explain how to download the software, how to get the bitcoins and then transfer it into the criminals’ wallets,” said the specialist, who asked not to be named for security reasons.
The gang shared 30 percent of profits with the ransomware developers, he said.
At least 170 cases involving the gang have been reported to the police.
British and Dutch police cybercrime units conducted the joint investigation with the FBI and Europol’s EC3 Cybercrime Centre and Joint Cybercrime Action Taskforce.
The Romanian suspects are being prosecuted for unauthorized computer access, serious hindering of a computer system, misuse of devices with the intend to commit cybercrimes and blackmail, Europol said.
The agency again urged ransomware victims “never to pay the criminals” but to immediately report it to the police.
Europol, together with Dutch police and anti-virus firms Kaspersky Lab and McAfee have set up the www.nomoreransom.org website with a host of anti-ransomware tools that can be used to decrypt files for free.