Ransomware cybercrime gang broken by Spanish police

Summary:A criminal gang which allegedly ran a ransomware network has been discovered and broken up by police in Spain.

spanish police ransomware operation arrests
The Secretary of State for Security, Francisco Martinez, and the director of Europol, Rob Wainwright.

An operation to break up a ransomware network estimated to be worth one million euros a year has been successful.

European police agency Europol says that Spanish police, working alongside the European Cybercrime Centre (EC3), have broken up a gang which allegedly ran a ransomware scheme which demanded money from online users in 30 countries.

While pretending to be the police, ransomware -- a type of malware which demands payment after locking or blocking a user's computer -- accused the target victim of visiting illegal websites containing child abuse material or file-sharing capabilities, and then requested payment. The demand was tailored to look like it came from a police agency, and then the victim was made to pay the "fine" of €100 ($134) through a gateway.

Investigators think that some victims may have been using the Internet for illicit purposes -- picked up by the malware through keyword searches -- which meant the "fine" was more believable and the rate of return was higher. However, the ransomware didn't stop there, as it also allegedly stole data and personal information from computer systems.

Rob Wainwright, the director of Europol, told the New York Times that as many as 48 variations of the virus have been discovered, many tailored to recognizable police services dependant on location.

"It used the idiom and logo of each specific police service,” he said. “Even Europol and my own name have been used to defraud citizens.”

According to Europol, since May 2011, there have been over 1200 reported cases in Spain, but as the ransomware targeted users in at least 30 countries, it is predicted that the actual number of victims is far higher. The police agency believe that the malware has managed to affect "tens of thousands" of computers worldwide, and brought in the cybercrime gang at least one million euros annually.

In "Operation Ransom," 11 people were arrested, the first being a 27-year old Russian who was on vacation in the United Arab Emirates at the time. He is currently waiting to be deported. In total, another six Russians, two Ukrainians and two Georgians were confronted and taken into custody along the Costa del Sol in Spain, where the main base of operations was believed to be based.

According to officials, other cells outside of Europe linked to the ransomware scheme are currently being investigated.

Spanish police searched six premises in Málaga, where IT equipment and over 200 credit cards were seized. To try and hide the ransomware earnings, the cybercriminals apparently laundered the cash flow through numerous bank accounts, online gaming portals, electronic payment gateways and virtual coins. Daily money transfers sent some of the proceeds back to Russia.

Wainwright commented:

"This is the first major success of its kind against a very new phenomenon that we have only identified in the last two years. This is a mass marketing scam to distribute this thousands of times and rely on the fact that even if only 2 percent fall victim to the scam, it is still a very good pickup rate."

Topics: Security, EU, Malware

About

Charlie Osborne, a medical anthropologist who studied at the University of Kent, UK, is a journalist, freelance photographer and former teacher. She has spent years travelling and working across Europe and the Middle East as a teacher, and has been involved in the running of businesses ranging from media and events to B2B sales. Charli... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.