Hit by Ransomware? 136 free tools are now available to rescue your files

The No More Ransom initiative is offering 136 free tools to rescue files held to ransom.  The scheme has just celebrated its 6th Anniversary and over 10 million people have now downloaded its decryption tools.  It is a great example of a successful public-private partnership initiative – to date it has helped over 1.5 million people successfully decrypt their devices without needing to pay the criminals. The portal is available in 37 languages in order to better assist victims of ransomware across the globe.

Launched by Europol, the Dutch National Police (Politie) and IT security companies, the No More Ransom portal initially offered four tools for unlocking different types of ransomware and was available only in English.  Last year a new website was launched. Six years later the scheme offers 136 free tools for 165 ransomware variants, including Gandcrab, REvil/Sodinokibi, Maze/Egregor/Sekhmet and more.  Over 188 partners from the public and private sector have joined the scheme, regularly providing new decryption tools for the latest strains of malicious software.

The best cure against ransomware remains diligent prevention. You are strongly advised to:

  • Regularly back up data stored on your electronic devices.
  • Watch your clicks – do you know where a link will take you?
  • Do not open attachments in e-mails from unknown senders, even if they look important and credible.
  • Ensure that your security software and operating system are up to date.
  • Use two-factor authentication (2FA) to protect your user accounts.
  • Limit the possibility to export large amounts of corporate data to external file exchange portals.
  • If you become a victim, do not pay! Report the crime and check No More Ransom for decryption tools.

Crypto Sheriff helps define the type of ransomware affecting your device. This enables a check to see if there is a solution available. If there is, you will be provided with a link to download the decryption solution

13 more arrests of ATM explosive gang members

German authorities, together with Dutch and Belgian counterparts, have arrested thirteen members of a Dutch gang linked to 21 ATM explosive attacks against cash machines in Germany.  The gang stole over €1.6 million as a result of the attacks, and collateral damage to equipment and buildings was in excess of €4 million.

The arrests took place on 28 June with over 100 Police officers involved in Germany (North Rhine Westphalia) and the Netherlands.

  • 8 arrests were made in the Netherlands
  • 3 arrests were made in Germany
  • 2 arrests were made in Belgium

These arrests follow another successful police operation in May 2022.

Europol’s European Serious Organised Crime Centre supported the investigation from the onset by bringing together the national investigators from Germany and the Netherlands to establish a joint strategy and to organise the intensive exchange of evidence needed to prepare for final phase of the investigation.

Threat To Life

Law enforcement is increasingly concerned about the heavier explosives that criminals are using to gain access to the ATM safes. The explosions are putting the lives of local residents and bystanders at risk: the surrounding buildings can collapse, or fragments of the explosion can hit passers-by.

In some cases, the perpetrators escape the crime scene in powerful motorised vehicles at speeds of up to 250 km/h, causing a serious risk to public safety.

Cross Border Cooperation

The EAST Expert Group on ATM and ATS Physical Attacks (EGAP) is a cross-border European specialist expert forum for discussion of ATM, ATS and CIT related physical attack trends, attack methodologies and counter-measures, threat protection, and for the provision of regularly updated lists of manufacturers of ATM protective devices.  The Group meets twice each year to enable in-depth and technical discussion to take place. The 17th EAST EGAP Meeting took place on 2nd March 2022.  Information exchange linked to the prevention of ATM explosive attacks is a key focus of the Group.

EAST Publishes Fraud Update 2-2022

EAST has published its second Fraud Update for 2022.  This is based on country crime updates given by representatives of 19 countries in the Single Euro Payments Area (SEPA), and 6 non-SEPA countries, at the 1st EAST Global Congress held on 16th June 2022.

The following countries supplied full or partial information for this Update:

Armenia, Austria; Belgium; Canada; Finland; France; Germany; Greece; Hungary; Italy; Liechtenstein; Luxembourg; Mexico; Netherlands; Norway; Poland; Romania; Slovakia; South Africa; Spain; Sweden; Switzerland; Turkey; Ukraine; United Kingdom.

FRAUD TYPE

EAST Fraud Update 1

To date in 2022 the EAST Expert Group on All Terminal Fraud (EGAF) has published two related Fraud Alerts.

EAST Fraud Update 2

To date in 2022 the EAST EGAF has published three related Fraud Alerts.

FRAUD ORIGIN

To date in 2022 EAST EGAF has published two related Fraud Alerts.

DUE DILIGENCE

PHYSICAL ATTACKS

To date in 2022 the EAST Expert Group on ATM and ATS Physical Attacks (EGAP) has published two related Physical Attack Alerts.

The full EAST European Fraud Update is available to EAST Members (National, Global and Associate).

Information on the Fraud Definitions and Terminology used by EAST can be found as follows:

FRAUD  DEFINITIONS

FRAUD TERMINOLOGY

TERMINAL FRAUD DEFINITIONS

TERMINOLOGY FOR LOCATIONS OF CDC DEVICES AT ATMS AND OTHER TERMINALS

TERMINAL PHYSICAL ATTACK DEFINITIONS AND TERMINOLOGY

 

EAST EPTF holds 13th Meeting

The 13th Meeting of the EAST Expert Group on Payment and Transaction Fraud (EPTF) took place on Wednesday 29th June 2022.  It was conducted as a virtual meeting and was chaired by Rui Carvalho, EAST Development Director.

The meeting was attended by 13 key representatives from Card Issuers, International Banks, Law Enforcement, Payment Processors, Payment Services Providers, and Solution Providers.

Europol and the DCPCU provided the law enforcement perspective, and presentations were also made by Cartes Bancaires, Diebold NixdorfHSBCPAN-Nordic Card Association, Payment Services Austra (PSA), SIBsSTMP, TietoEVRY and Trend Micro.  Social engineering linked to authorised push payment (APP) or impersonation fraud is a key area of concern, as is ransomware.

EAST EPTF, which meets three times a year, adds value to the payments industry by using the unique and extensive EAST National Member and EAST Global Member platforms, and the Associate Member network, to provide information and outputs that are not currently available elsewhere.  It is a is a specialist group that discusses security issues affecting the payments industry and that gathers, collates, and disseminates related information, trends and general statistics.

EAST National & Global Members represent 35 countries and outputs from the group are presented to EAST Global Congress Meetings.  There are 212 EAST Associate Member Organisations from 52 countries and territories.

Delia Vaquerizo retires from EAST

Delia Vaquerizo has retired from EAST after representing Spain for 17 years.  She attended her first EAST Meeting in 2006 and joined the EAST Board as a non-Executive Director in October 2016.  She is also a founder member of the EAST Expert Group on Payment and Transaction Fraud (EPTF), which was formally launched in 2016.

In recognition of her significant contribution to EAST and the industry, she was presented with an Award by Graham Mott (LINK Scheme and the current EAST Chair) at the 1st EAST Global Congress, her final meeting.

Spain is represented at EAST by the National Member Sistema de Tarjetas y Medios de Pago, S.A. (STMP) and Delia’s role as EAST national representative has been taken over by Susana González Prada from STMP’s Fraud Management department.

EAST Executive Director Lachlan Gunn said: “Delia has done a fantastic job in gathering and collating information and data from the Spanish market, that has been of great benefit to Law Enforcement and the industry.  It has been a real pleasure to work with her over the years. On behalf of the EAST Executive Team, the EAST Board, and of all our members, I wish her all the best for her new role at STMP, where she has responsibility for the management of BNPL (Buy Now Pay Later) solutions for card payments.  While she will no longer be a regular attendee at EAST meetings, we hope to still see her at future EAST Forums and other industry events.”

The 1st EAST Global Congress was held at Europol in The Hague on 16th June 2022.

Phishing gang busted by cross-border Police operation

A cross-border operation, supported by Europol and involving the Belgian Police (Federale Politie) and the Dutch Police (Politie), resulted in the dismantling today of an organised crime group (OCG) involved in phishing, fraud, scams, and money laundering.

  • The OCG used email, text messages and mobile messaging applications to contact their victims.
  • These messages contained a phishing link leading to a bogus banking website.
  • Thinking they were viewing their own bank accounts through this website, the victims were duped into providing their banking credentials to the suspects. The investigative leads suggest that the criminal network managed to steal several million euros from their victims with this fraudulent activity.
  • The OCG used money mules to transfer these funds from the victim’s accounts and to cash out the fraudulently obtained money.
  • Members of the OCG have also been connected with cases of drugs trafficking and possible firearms trafficking.

Police Action

On 21 June 2022 the coordinated Police action led to:

  • 9 arrests in the Netherlands
  • 24 house searches in the Netherlands
  • Seizures including firearms, ammunition, jewellery, electronic devices, cash and cryptocurrency

Europol facilitated the information exchange, the operational coordination and provided analytical support for investigation. During the operation, Europol deployed three experts to the Netherlands to provide real-time analytical support to investigators on the ground, forensics and technical expertise.

The EAST Expert Group on Payment and Transaction Fraud (EPTF), which meets three times each year, focuses on the prevention of payment and transaction fraud, including phishing. The 12th EAST EPTF meeting took place on 13 April 2022.

Europol launches updated ATM Logical Attack Guidelines at 1st EAST Global Congress

Europol has published updated guidelines to help industry and law enforcement counter the ATM Logical Attack threat.  The new document was officially launched at the 1st EAST Global Congress, which took place on Thursday 16th June 2022 at Europol’s HQ in The Hague.  Production of the document was coordinated by the EAST Expert Group on All Terminal Fraud (EGAF).

It has three sections:

  1. Description of Modi Operandi
  2. Mitigating the risk of ATM Logical Attacks, Setting up Lines of Defence
  3. Identifying and responding to Logical Attacks

This latest version has many updates including improved advice on lines of defence and countermeasures, and a direct link (QR code) to the countermeasures published by EAST.

The original Guidelines were published in 2015, with a first update in 2018.  They have been acknowledged as being of great value by both the industry and law enforcement, and the low success rate of ATM logical attack levels in Europe can no doubt be attributed to the fact that this guidance has been widely followed.

Lachlan Gunn, EAST Executive Director, said “This latest version draws upon feedback and expertise from both law enforcement and the private sector, cemented by a working partnership between Europol and EAST EGAF.  We are very grateful to Edvardas Šileris, Head of Europol’s European Cybercrime Centre (EC3), and his team at for making this possible.  I would like to thank Otto de Jong (ING Bank and EAST EGAF Chair) and Christian Beine (Diebold Nixdorf) for their key role in leading this exercise, and to also extend my thanks to GMV, INTERPOL, NCR, TMD Security and Trend Micro for their invaluable work and contributions”. 

ATM Logical Attacks

Pictured above at the launch are (Left to right) Lachlan Gunn, Edvardas Šileris, and Otto de Jong.

Circulation of the document is restricted to Law Enforcement and to the banking and payments industry, which includes EAST Members (National, Global, and Associate).

National & Global Fraud Intelligence sharing – 1st EAST Global Congress

The 1st EAST Global Congress took place on Thursday 16th June 2022 at Europol’s HQ in the Hague as a hybrid meeting, with some delegates participating online. This was the first in-person meeting of EAST Global and National Members since February 2020.  Six virtual interim meetings were held between that meeting and the Global Congress.

The meeting was chaired by Graham Mott from the LINK Scheme and the key focus was on the sharing of payment and terminal fraud intelligence (global, regional, national).  A special welcome was given to Olesya Danylchenko from the Ukrainian Interbank Payment Systems Member Association (EMA).

Law enforcement overviews were provided by Europol, the Gulf Cooperation Council Police (GCCPOL), and the United States Secret Service (USSS).  An update was provided from Europol’s European Cybercrime Centre (EC3) on various fraud types and an updated version of the document Guidance and Recommendations Regarding Logical Attacks Against ATMs‘  was officially launched.  A presentation from Europol’s Organised Property Crime Unit covered recent Physical ATM attacks across Europe. The USSS update covered recent reports from the FBI’s Internet Crime Complaint Centre (IC3), as well the latest fraud trends seen.

Private sector fraud intelligence updates were received from 25 countries, either directly or via regional/global updates by HSBC and Worldline.  Regional Updates were also provided for ASP, and MENA.  Each update covered Fraud Types, Fraud Origin, Due Diligence and Physical Attacks (ATM, ATS and CIT).  The importance of raising consumer awareness to counter the rising threats related to social engineering remains a key issue.

Updates were also given by the Chairs of the three EAST Expert Groups:

EAST Fraud Update 2-2022 will be produced early next month, based on the country updates provided at the EAST Global Congress.  EAST Fraud, Payment, and Physical Attack Alerts are available on the EAST Intranet to EAST Members.

The 2nd EAST Global Congress, scheduled for 5th October 2022, will also be held as a Hybrid Meeting.

Police takedown SMS-based FluBot spyware affecting Android phones

The FluBot malware has been stopped by a successful Police operation.  FluBot had been spreading aggressively through SMS, stealing passwords, online banking details and other sensitive information from infected Android smartphones across the world.  It has been one of the fastest spreading mobile malware seen to date.

The takedown was the result of an international law enforcement operation involving 11 countries and coordinated by Europol’s European Cybercrime Centre (EC3).  This resulted in the Dutch police successfully disrupting the FluBot infrastructure and taking over its control during May 2022.  The investigation is ongoing to identify the individuals behind this global malware campaign.

How Flubot Worked

First spotted in December 2020, FluBot gained traction in 2021, compromising a huge number of devices worldwide, including significant incidents in Spain and Finland.  Cases were seen across Europe and in Australia.

The malware was installed via text messages, which asked Android users to click a link and install an application to track a package delivery or to listen to a fake voice mail message. Once installed, the malicious application would ask for accessibility permissions. The hackers would then use this access to steal banking app credentials, or cryptocurrency account details, and to disable built-in security mechanisms.

FluBot was able to quickly spread due its ability to access an infected smartphone’s contacts.  Messages containing links to the malware were then sent to these numbers, helping to spread the malware.

What to do if your Device has been infected?

FluBot malware is disguised as an application, so it can be difficult to spot. There are two ways to tell whether an app may be malware:

  • If you tap an app, and it doesn’t open
  • If you try to uninstall an app, and are instead shown an error message

If you think an app may be malware, reset the phone to factory settings.

Find out more on how to protect yourself from mobile malware.

FluBot

International Cooperation

This case highlights the importance of cross-border cooperation in taking down organised criminal groups.  EC3 brought together the national investigators in the affected countries to establish a joint strategy, provided digital forensic support and facilitated the exchange of operational information needed to prepare for the final phase of the action. The J-CAT, hosted at Europol, also supported the investigation.  A virtual command post was set up by Europol on the day of the takedown to ensure seamless coordination between all the authorities involved. The following authorities took part in the investigation:

  • Australia: Australian Federal Police
  • Belgium: Federal Police (Federale Politie / Police Fédérale)
  • Finland: National Bureau of Investigation (Poliisi)
  • Hungary : National Bureau of Investigation (Nemzeti Nyomozó Iroda)
  • Ireland: An Garda Síochána
  • Romania: Romanian Police (Poliția Română)
  • Sweden: Swedish Police Authority (Polisen)
  • Switzerland: Federal Office of Police (fedpol)
  • Spain: National Police (Policia Nacional) 
  • Netherlands: National Police (Politie)
  • United States: United States Secret Service

The EAST Expert Group on Payment and Transaction Fraud (EPTF), which meets three times each year, focuses on the prevention of payment and transaction fraud, including mobile malware. The 12th EAST EPTF meeting took place on 13 April 2022.

ATM explosive attack gang members arrested in successful Police operation

On 17 May 2022 three people were arrested in the Netherlands in connection with a series of ATM explosive attacks in Germany.  The arrests, which took place in Haarlem and Vianen, followed the arrests of 3 other members of the same criminal group on 30 March 2022 in Hessen, Germany.

This gang is believed to have targeted 8 ATMs in Germany between October and November 2021, stealing over €958,000 in cash.  Typically these attacks took place in the early hours of the morning – to access the cash the gang blew open the ATMs with explosives.  These explosions caused nearly €1 million in collateral damage to the buildings where the ATMs were located and the criminals showed reckless disregard for the safety of people in the vicinity of the attacks, or living nearby.

International Police Operation

The arrests were made by the Dutch Police (Politie Noord-Holland), working together with the German Police Directorate of Hochtaunus (Polizeidirektion Hochtaunus)Europol coordinated the operation (Op Pfeil/Pentagon), which was the culmination of many months of meticulous planning between the German and Dutch authorities.  Europol brought together the national investigators, who have been working closely together with Europol’s Serious Organised Crime Centre, to establish a joint strategy to take down the criminal gang. On the action day a Europol mobile office was deployed to Haarlem to facilitate the extensive exchange of information and evidence, and to support with the analysis of the seized electronic devices.

Police Appeal

In addition to the 6 members arrested so far, law enforcement is seeking to identify a seventh member of this gang.  The German Prosecutor General’s Office Frankfurt am Main are urging members of the public with information to come forward. Anyone who has any knowledge of these fugitives’ whereabouts should get in touch with any information that can help to track down the fugitives.

For more information click here

Cross Border Cooperation

The EAST Expert Group on ATM and ATS Physical Attacks (EGAP) is a cross-border European specialist expert forum for discussion of ATM, ATS and CIT related physical attack trends, attack methodologies and counter-measures, threat protection, and for the provision of regularly updated lists of manufacturers of ATM protective devices.  The Group meets twice each year to enable in-depth and technical discussion to take place. The 17th EAST EGAP Meeting took place on 2nd March 2022.  Information exchange linked to the prevention of ATM explosive attacks is a key focus of the Group.