Romanian authorities have arrested five people on accusations of spreading email spam that infected users with the CTB-Locker and Cerber ransomware families.

Romania's Directorate for Investigating Organized Crime and Terrorism (DIICOT) made five arrests last week after receiving intel from Europol, the FBI, and Dutch National Police.

Suspects were RaaS users

The five arrested suspects are not ransomware authors, but mere distributors. Investigators say they rented ransomware families from Ransomware-as-a-Service portals. The group packaged the ransomware binaries inside archived files made to look like invoices, which they sent to users as attachments part of email spam. The group kept 70% of the ransom payment, while 30% remained with the RaaS portal.

DIICOT officers initially arrested three individuals in Bucharest, Romania's capital, acting on intel they received from Europol and Dutch police.

Officials believe these three are behind spam waves that distributed the infamous CTB-Locker (Curve-Tor-Bitcoin Locker or Citroni) ransomware, one of the first families that used the Tor network to hide its command-and-control infrastructure.

Investigators find two more suspects after initial arrests

Police arrested two other suspects, part of the same gang, after the initial arrests. At the time of the CTB-Locker-related arrests, authorities had not discovered the identities of the other two suspects.

The initial arrests allowed authorities to discover the real-world identities of the two other suspects and link them to infections with the Cerber ransomware on US targets.

The US Secret Service acted swiftly by issuing an international arrest warrant, which came just in time so Romanian authorities could arrest the other two suspects the next day, while they were trying to leave the country.

McAfee also contributed with information that led to the suspects' arrests. In a statement to Bleeping Computer, Christiaan Beek, Lead Scientist & Principal Engineer at McAfee, said that McAfee assisted this investigation by analyzing samples of malware found on a server that the Dutch High Tech Crime Unit was able to gain access to. These samples turned out to be for the CTB-Locker, which helped to attribute that this server was being used to distribute the ransomware as part of an affiliate campaign.

Below is a video recorded by Romanian police during searches at seven locations. Europol said Romanian authorities seized "a significant amount" of hard drives, laptops, external storage devices, cryptocurrency mining devices, and other documents.

Bleeping Computer has reached out to DIICOT for additional information about the arrests and impending criminal cases. Europol tracked the investigation as Operation Bakovia, after the name of a famous Romanian poet.