Spanish authorities announced Wednesday that they had arrested 10 people who were allegedly involved in a massive “ransomware” ring. The European Cybercrime Centre estimated that the criminal operation "affected tens of thousands of computers worldwide, bringing in profits in excess of €1 million ($1.34 million) per year."

The Spanish Ministry of the Interior described (Google Translate) the lead suspect as a “a 27-year-old citizen of Russian origin who was arrested in December in the United Arab Emirates,” and now awaits extradition to Spain. The newly arrested 10 were linked to the financial cell of the ransomware operation and include six Russians, two Ukrainians, and two Georgians. The Ministry added that the operation remains “open,” suggesting that more arrests could be forthcoming. (Spanish authorities posted a video (RAR) of the new arrests and raid.)

Madrid dubbed the ransomware used by the ring a “police virus” because it throws up a notice that appears to come from law enforcement. The malware requires the user to pay €100 ($134) as a “fine” from a false accusation of accessing child pornography or file-sharing websites. When the victims submit their payment details, European authorities added, the “criminals then go on to steal data and information from the victim’s computer.”

“This is the first major success of its kind against a very new phenomenon that we have only identified in the last two years,” Rob Wainwright, the director of Europol, said at a news conference at the Interior Ministry in Madrid. “This is a mass marketing scam to distribute this thousands of times and rely on the fact that even if only 2 percent fall victim to the scam, it is still a very good pickup rate.”

According to The New York Times, Wainwright estimated that 3 percent of those targeted had paid the fake fines. If the group took in around €1 million per year, that suggests 10,000 people paid the fine each year and over 333,000 were targeted on an annual basis. He added that the software had as many as 48 mutations.

“It used the idiom and logo of each specific police service,” Wainwright said, according to the Times. “Even Europol and my own name have been used to defraud citizens.”

Computers, credit cards seized in raid

Spanish authorities added that the malware has been known to them since May 2011, after having received over 1,200 complaints since that time. The Technological Investigation Brigade, an arm of the Spanish National Police, also noted that the malware has affected users across 22 countries.

Police searched six premises in Málaga province, on Spain’s southern coast, and confiscated “IT equipment used for the criminal activities,” as well as “credit cards used to cash out the money that victims paid via Ukash, Paysafecard and MoneyPak vouchers, as well as around 200 credit cards which were used to withdraw €26,000 ($35,000) in cash prior to the arrests.”

The New York Times, citing Spanish police, reported that six of the 10 arrested were charged with “money laundering, fraud and involvement in a criminal organization,” and said the others were under investigation.

The European Cybercrime Centre added that the gang employed “virtual systems for money laundering and other traditional systems using various online gaming portals, electronic payment gateways, or virtual coins. They also used compromised credit cards to extract cash from the accounts of ransomware victims via ATMs in Spain. As a final step, daily international money transfers through currency exchanges and call centres ensured the funds arrived at their final destination in Russia.”