The Spanish Police, working closely with the European Cybercrime Centre (EC3) at Europol, have dismantled the largest and most complex cybercrime network dedicated to spreading police ransomware (Reveton). It is estimated that the criminals affected tens of thousands of computers worldwide, bringing in profits in excess of one million euros per year.


Operation Ransom resulted in 11 arrests – the first was a 27-year-old Russian, responsible for the creation, development and international distribution of the various versions of the malware. He was arrested in the United Arab Emirates and is currently awaiting extradition to Spain. Furthermore, one of the criminal network’s largest financial cells in the Costa del Sol was dismantled. The Spanish Police also arrested another 10 individuals linked to the financial cell: six Russians, two Ukrainians and two Georgians, all based in Spain.

Six premises were searched in the province of Málaga, where IT equipment used for the criminal activities was confiscated. In addition, investigators seized credit cards used to cash out the money that victims paid via Ukash, Paysafecard and MoneyPak vouchers, as well as around 200 credit cards which were used to withdraw €26 000 in cash prior to the arrests.

The financial cell of the network specialized in laundering the proceeds of their crimes, obtained in the form of electronic money. For this, the gang employed both virtual systems for money laundering and other traditional systems using various online gaming portals, electronic payment gateways or virtual coins. They also used compromised credit cards to extract cash from the accounts of ransomware victims via ATMs in Spain. As a final step, daily international money transfers through currency exchanges and call centers ensured the funds arrived at their final destination in Russia.

Police ransomware is a type of malware that blocks the computer, accusing the victims of having visited illegal websites containing child abuse material or file sharing, and requests the payment of fine to unblock it. By dressing the ransomware up to look as if it comes from a law enforcement agency, cybercriminals convince the victim to pay the ‘fine’ of €100 through two types of payment gateways - virtual and anonymous - as a penalty for the alleged offence. The criminals then go on to steal data and information from the victim’s computer. Since the virus was detected in May 2011, there have been more than 1200 reported cases just in Spain, and the number of victims could be much higher.

Operation Ransom was led by the Spanish Police and coordinated by Europol and Interpol. Other crucial partners included Eurojust, the attachés of the Ministry of Interior of the Spanish Embassy in Moscow and the Spanish Embassy in the UAE.

The Spanish Brigada de Investigación Tecnológica de la Policía Nacional (Technological Investigation Brigade of the National Police) has released a video of the arrests: