Five Romanian hackers were arrested over the past week as part of an international investigation into computer ransomware, officials in the United States and Europe said Wednesday.
In six houses across Romania, law enforcement operatives from Romania, Britain, the United States and the Netherlands seized hard drives, laptops, external storage devices and documents related to malicious software called CTB-Locker or Critroini.
The program targets Windows computers with spam designed to look like invoices from well-known European countries, according to law enforcement. If the attachment to the fake invoice is downloaded, it encrypts files on a victim’s computer until a ransom is paid in bitcoin.
Hackers can earn a cut of ransom profits by helping spread the malicious software through their own spam campaigns, an “affiliate” innovation the FBI says CTB-Locker helped pioneer.
The ransomware, first seen in 2014, was also one of the first to use the anonymizing software Tor to conceal the location of its servers. CTB stands for Curve-Tor-Bitcoin; Curve is an encryption method.
Three of the arrested individuals will be prosecuted in Romania, according to the FBI.
Two other suspects were arrested in the Romanian capital, Bucharest, as part of a parallel investigation, according to Europol. Where they will be tried has yet to be determined. The European police agency has identified over 170 victims in its jurisdiction.
The U.S. Attorney’s Office for the District of Columbia is helping handle the American investigation, but no hackers have yet been charged in U.S. court, an FBI spokeswoman said.
Timothy R. Slater, the special agent in charge of the FBI’s Washington Field Office, said in a statement that “these arrests highlight the value of international cooperation in bringing to justice perpetrators in a criminal network, wherever they reside.”