Operation Ransom II – the second of this kind after one in Málaga (Spain) in February 2013 – was the culmination of an extensive investigation of over a year, corroborating the fact that police ransomware is still a big threat to EU citizens.
On 9 July, Spanish National Police arrested the two criminals and searched their house. One of them was caught red-handed, running virtual machines and chatting with other cybercriminals. Along with numerous electronic devices and digital evidence, around EUR 50,000 in cash and several thousand euros in e-currency were seized during the search.
Their sophisticated money laundering facility was processing around EUR 10,000 daily through various electronic payment systems and virtual currencies.
The 21,000 compromised servers of companies located in 80 countries (1,500 of them in Spain) had a common feature whereby access settings were via a remote desktop (RDP). With this setup, the cybercriminal could access all information contained on the servers, using full administrator privileges for the system, i.e. absolute control.
The criminals ran an online shop where the compromised machines were ‘sold’ to 450 of their cybercriminal ‘customers’ who were able to choose the location (country) of their preferred servers.
This Spanish National Police investigation was supported from the early stages by Europol specialists, who organised and hosted a coordination meeting in April 2013. Europol then facilitated the exchange of criminal intelligence with other EU Member States, delivered analytical reports, and supported the operation on the spot with a mobile office and technical advice.
Europol will receive data on the compromised computers so it can be analysed and distributed to law enforcement authorities, who in turn can notify those server owners affected by the criminals’ activity.
According to Troels Oerting, Head of EC3, the development and sophistication of malware will continue and the threat will remain high. It is important for citizens to understand that they should never pay any ransom.