Two of the five unnamed individuals cuffed this month in Romania on suspicion of spreading ransomware face US computer crime charges – for their alleged role in taking over 123 out of 187 networked computers that control Washington DC's CCTV cameras earlier this year.

According to Europol, which led the arrests, this week, two of those arrested are suspected of attacking American computer systems using the Cerber ransomware. The Euro plod noted that the US Secret Service is also investigating those malware infections.

In an affidavit obtained by CNN – unsealed by mistake and then resealed – Secret Service agent James Graham laid out the basis for the US Department of Justice's computer fraud case against two Romanian nationals, Mihai Alexandru Isvanca and Eveline Cismaru.

In an email to The Register, a justice department spokesperson confirmed the linkage of the arrests and the US court filing. "These are separate but related investigations and the people you name are among those arrested by Europol," the spokesperson said. "Any court documents are not publicly available."

In other words, the Isvanca and Cismaru nabbed in Romania by police as suspected Cerber ransomware extortionists are the Isvanca and Cismaru accused in the US of attacking the American capital's CCTV camera system.

Traffic cameras

Graham described how around January 9, 2017, and January 12, 2017, the pair, as part of an alleged ransomware scheme, took control of the networked Windows computers used by the Washington DC Metropolitan Police to run their traffic cameras.

On January 12, having recognized that some of the cameras were offline, DC police IT staff and a Secret Service agent used Remote Desktop Protocol (RDP) software to connect to one of the servers controlling the cameras.

They observed the device with a number of open desktop windows running unexpected software. The windows displayed: a tracking number for a European shipping company, Hermes; a browser window with a Sendgrid account with activity for multiple email addresses; a browser window with Google search results for "email verifier online"; a browser window for http://emailx.discoveryvip.com/; a desktop window with a notepad program showing programming code and text files; and a window showing the splash screen for Cerber ransomware.

The IT administrator subsequently blocked network access for the compromised device, which was subsequently removed, along with two other computers, for forensic analysis.

Investigators determined that two ransomware variants, Cerber and Dharma, had been installed on the computers. They also found a text file, USA.txt, that contained 179,616 email addresses, used to spam intended ransomware victims. A text file with the same checksum was subsequently found in an email account associated with one of the defendants.

Among the various email addresses used in the scheme, analysts identified vand.suflete@gmail.com as being of particular interest. According to Graham, the Romanian phrase "vand suflete" translates to "selling souls" in English.

Remote control

Graham explained that records for that Gmail address obtained from Google included a message with a link to what is believed to be a Cerber control panel. Allegedly, Isvanca and Cismaru were renting access to Cerber in order to infect victims, scramble their files, and extort money from them to restore the data.

"In my training and experience, within the Cerber business model, the owner and creator of the Cerber malware leases out Cerber resources to affiliates (essentially, customers)," he explained in the court filing. "A Cerber control panel is a website that allows a Cerber affiliate to control the Cerber framework without having access to the source code, thereby allowing the owner and creator to retain for themselves the intellectual property of the malware and thus to generate additional income from other affiliates."

The Europol release calls this "crime-as-a-service."

Tracing the connections across the various email accounts led to Isvanca and Cismaru.

Investigators contacted some of the people and organizations mentioned in the vand.suflete@gmail.com email account to determine whether their systems had been compromised. An unnamed company, confirming that it had been hacked, responded with screenshots of the Cerber splash page on its systems.

The Hermes shipment tracking number seen on one of the compromised DC computers was traced to an address in London, UK, but an inquiry by the UK National Crime Agency found no evidence the recipients were involved in the ransomware scheme.

UK healthcare biz hacked

The IP address used to create the order, found on a DC computer, was traced to a UK healthcare company. That IP address was also found in an email in the vand.suflete@gmail.com account.

The company, which confirmed to investigators that a user account on its eXpressApp Framework (XAF) system had been compromised, is left unnamed in the affidavit. A quick lookup of the IP address indicates that it is associated with the Newcastle office of healthcare firm WellWork Ltd, a name that's also spelled out in what appears to be an RDP connection string in the court filing.

The various email accounts and IP addresses, cross-references with fraud databases, provided enough details to ask Romanian officials for further digital data linked to the defendants.

Facebook and YouTube posts helped too. Graham said that in his experience, people often make slight alterations to their social media accounts to disguise their identities. Those alterations proved insufficient to hide from investigators. ®