Five individuals apprehended during Operation Bakovia

Romanian authorities have arrested five individuals who are suspected of infecting computer systems by spreading the CTB-Locker and Cerber ransomware throughout Europe and the US.

An update from Europol this morning detailed the arrest of three suspects who are accused of distributing Curve-Tor-Bitcoin Locker (CTB-Locker). First detected in 2014, this was one of the first ransomware variants to use Tor to hide its command and control infrastructure.

In a parallel investigation during what has been named Operation Bakovia, two other suspects from the same criminal group were arrested in Bucharest for their purported role in spreading the Cerber ransomware across a large number of computer systems in the US.

As a result of the searches in Romania, investigators seized a “significant amount” of hard drives, laptops, external storage devices, cryptocurrency mining devices, and numerous documents.

Footage of the Operation Bakovia arrests can be viewed here.

The criminal group is being prosecuted for unauthorized computer access, serious hindering of a computer system, misuse of devices with the intent of committing cybercrimes, and blackmail.


According to Europol, it is likely that the suspects did not develop the malware themselves, but acquired it from specific developers before launching various infection campaigns of their own, having to pay in return around 30% of the profit.

“This modus operandi is called an affiliation program and is ‘Ransomware-as-a-Service’, representing a form of cybercrime used by criminals mainly on the dark web, where criminal tools and services like ransomware are made available by criminals to people with little knowledge of cyber matters, circumventing the need for expert technological skills,” the agency said.

“Ransomware attacks are relatively easy to prevent if you maintain proper digital hygiene. This includes regularly backing up the data stored on your computer, keeping your systems up to date and installing robust antivirus software.”

The arrests come less than a month after a joint operation between the FBI, Europol, and cybercrime authorities around the world led to the successful dismantling of the notorious Andromeda botnet.

Also known as Gamarue, the botnet was associated with 80 malware families and is thought to have infected or blocked an average of more than one million machines every month.