Four Romanians arrested for spreading critroni ransomware

romanians arrested for involvement CTB locker ransomware


On Wednesday, Europol reported that four people were arrested in Romania last week for infecting computers worldwide with ransomware. The ransomware forced Windows users to pay a fee in order for them to access their computer and files again.

In addition, two other suspects were arrested in an investigation conducted by United States authorities. According to Europol, all suspects are members of the same criminal organization, which was involved in the spreading of the ransomware named CTB-Locker aka Critroni.

The suspects were arrested as part of an operation called ‘Bakovia’. This is an action carried out by the Romanian police, public prosecutors from Romania and the Netherlands, the Dutch police, the British National Crime Agency, and the American FBI.


The searches took place at six different locations in Romania. Laptops, data carriers, hundreds of SIM cards and a cryptocurrency mining set-up have been seized.

In case of infection with ransomware, all personal files of the victims on the computer are encrypted by the criminals. The criminals then tell their victims they can recover their files by paying a small amount of cash.

In the Netherlands, the investigation into Critroni started back in 2015. The ransomware was distributed through phishing e-mails that appeared to be from telecom provider KPN. The police received over 200 reports of victims during their investigation. The actual number of victims in the Netherlands is most likely much higher. In 2016 Critroni made the most victims of all ransomware worldwide, according to security company McAfee.

According to the police, the suspects were responsible for the distribution of the ransomware. Within the Romanian group, two people are also suspected of spreading the virus named “Cerber” on a large number of computers in the United States.

Dutch server

In 2016, THTC (Team High Tech Crime) received information that a Dutch server was involved in the spreading of the CTB-locker virus. THTC then copied and examined the server. The source code was found on the server for the distribution of phishing emails as well as a large number of variants of the CTB-Locker itself. An analysis of the malicious files has been made in order to understand the effects of the virus even better. Computer security company McAfee has also carried out additional research.


Please enter your comment!
Please enter your name here