Countering the ransomware threat

The risks of becoming a victim of a ransomware attack continue to increase as criminals exploit organisational vulnerabilities and typically use spear-phishing emails to target potential victims.  According to Europol cases have been rising alarmingly in the past few months and have brought critical activities such as hospitals and governments to a standstill.

Garmin was a recent victim of a cyber attack that encrypted some of their systems. The alleged ransomware attack is thought to be the work of ‘Evil Corp’, a group of Russian hackers that allegedly mainly targets US corporations.  Garmin services started to go offline on Thursday 23 July 2020 and many of the most popular services, including Garmin Connect and most of the Strava integrations, were unavailable to users over the weekend period.  According to Garmin ‘Affected systems are being restored and we expect to return to normal operation over the next few days.’

To counter ransomware a free scheme called No More Ransom is helping victims fight back without paying the hackers. Since its launch four years ago the No More Ransom decryption tool repository has registered over 4.2 million visitors from 188 countries and has stopped an estimated $632 million in ransom demands from ending up in criminals’ pockets.

Powered by the contributions of its 163 partners, the portal has added 28 tools in the past year and can now decrypt 140 different types of ransomware infections. The portal is available in 36 languages.  All the key figures can be seen in Europol’s dedicated infographic.

How No More Ransom works

No More Ransom is the first public-private partnership of its kind helping victims of ransomware recover their encrypted data without having to pay the ransom amount to cybercriminals.

To do this, simply go to the website nomoreransom.org and follow the Crypto Sheriff steps to help identify the ransomware strain affecting the device. If a solution is available, a link will be provided to download for free the decryption tool.

Prevention remains the best cure

No More Ransom goes a long way to help people impacted by ransomware, but there are still many types of ransomware out there without a fix. Fortunately, there are some preventative steps you can take to protect yourself from ransomware:

  • Always keep a copy of your most important files somewhere else: in the cloud, on another drive offline, on a memory stick, or on another computer.
  • Use reliable and up-to-date anti-virus software.
  • Do not download programs from suspicious sources.
  • Do not open attachments in e-mails from unknown senders, even if they look important and credible.
  • And if you are a victim, do not pay the ransom!

Do you have an innovative solution for ransomware families not covered yet in the portal to help victims recover their files without giving into the demands of the criminals? If so then Europol would like to hear from you.

What is Ransomware?

The EAST Payments Task Force (EPTF) defines ransomware as ‘A type of malicious software designed to block access to a computer system until a sum of money is paid.’  It is a form of data compromise.  An overview of all EAST Fraud Definitions can be seen here.

Tips and Advice From Europol

 

EFECC launched by Europol

Today Europol launched the new European Financial and Economic Crime Centre (EFECC). The Centre will enhance the operational support provided to the EU Member States and EU bodies in the fields of financial and economic crime and promote the systematic use of financial investigations. The new EFECC has been set up within the current organisational structure of Europol that is already playing an important part in the European response to financial and economic crime and will be staffed with 65 international experts and analysts.

Economic and financial crimes are a highly complex and a significant threat affecting millions of individual EU citizens and thousands of companies in the EU every year. In addition: money laundering and criminal finances are the engines of organised crime, without them criminals would not be able to make use of the illicit profits they generate with the various serious and organised crime activities carried out in the EU. According to previous reports by Europol, 98.9% of estimated criminal profits are not confiscated and remain at the disposal of criminals.

Furthermore, the COVID-19 pandemic in Europe has provided ample evidence that criminals are quick to adapt their criminal schemes to changing conditions to exploit fears and vulnerabilities. Economic stimuli such as those proposed in the wake of the COVID-19 pandemic will be targeted by criminals seeking to defraud public funding. To effectively disrupt and deter criminals involved in serious and organised crime, law enforcement authorities need to follow the money trail as a regular part of their criminal investigations with the objective of seizing criminal profits.

The exponential increase of financial and economic crime and the involvement of organised crime on a large scale, together with the number of requests for operational support from EU Member States, called for an adequate and coordinated European response.

A strategic report published today provides an overview of the most threatening phenomena in the area of economic and financial crime including various types of fraud, the production and distribution of counterfeit goods, money laundering and others.

Europol launched the European Financial and Economic Crime Centre at a press conference at its headquarters, modelled along the lines of similar initiatives such as the European Cybercrime Centre (EC3) the European Counter Terrorism Centre (ECTC), the European Migrant Smuggling Centre (EMSC) and the European Serious Organised Crime Centre (ESOCC) hosted at Europol.

EAST and Europol have worked together in partnership since 2004

Hacker Group ‘InfinityBlack’ taken down

Polish and Swiss law enforcement authorities, supported by Europol and Eurojust, have taken down ‘InfinityBlack’, a hacker group involved in distributing stolen user credentials, creating and distributing malware and hacking tools, and fraud. The hackers created online platforms to sell user login credentials known as ‘combos’. The group was organised into three teams:

  • Developers created tools to test the quality of the stolen databases
  • Testers analysed the suitability of authorisation data.
  • Project managers then distributed subscriptions against cryptocurrency payments.

The hacker group’s main source of revenue came from stealing loyalty scheme login credentials and then selling them on to other, less technical, criminal gangs. These gangs would then exchange the loyalty points for expensive electronic devices.

The hackers created a sophisticated script to gain access to a large number of Swiss customer accounts. Although the losses are estimated at €50,000, the hackers had access to accounts with potential losses of more than €610,000. Fraudsters were spotted when using the stolen data in shops in Switzerland.

Effective Cross-Border Cooperation resulted in arrests

hacker group equipmentOn 29th April 2020, the Polish National Police searched six locations in five Polish regions and arrested five individuals believed to be members of the hacker group. Police seized electronic equipment, external hard drives and hardware cryptocurrency wallets, all worth around €100,000.  Two platforms with databases containing over 170 million entries were closed down by the police.

Between 30th April and 2nd May 2019, five arrests were made in the Swiss canton of Vaud.  This was as a result of investigative measures taken by specialists from the Cyber Investigation Division (DEC) of the Vaud Cantonal Police.  Once the criminal gang cashing out the loyalty points was identified in Switzerland, police exchanged criminal intelligence and uncovered links to members of the separate hacking group in Poland.

Europol enabled close cooperation between cyber units in Poland and Switzerland through the dedicated network of cyber liaison officers (J-CAT) hosted at Europol’s headquarters. Europol also supported the operation by facilitating information exchange and providing technical and analytical support. Eurojust facilitated the transmission of information between the Public Prosecutor’s Offices in Switzerland and Poland.

How COVID-19 will impact Organised Crime in the EU

COVID-19Europol has just published a new report which assesses the impact of the COVID-19 pandemic on serious and organised crime across three phases:

  1. The Current Situation
  2. The Mid-Term Outlook
  3. The Long Term Impact

For more on the current situation see Europol’s previous reports published in March and April 2020.

During the medium term easing of lockdown measures will see criminal activity return to previous levels featuring the same type of activities as before the pandemic. However, the COVID-19 pandemic is likely to have created new opportunities for criminal activities that will be exploited beyond the end of the current crisis. It is expected that the economic impact of the pandemic and the activities of those seeking to exploit it will only start to become apparent in the mid-term phase and will likely not fully manifest until the longer term. Some of the relevant crime areas are:

  • Anti-money laundering: the pandemic and its economic fallout will exert significant pressure on the financial system and the banking sector. Anti-money laundering regulators must be vigilant and should expect attempts by organised crime groups to exploit a volatile economic situation to launder money using the on-shore financial system.
  • Shell companies: criminals will likely intensify their use of shell companies and companies based in off-shore jurisdictions with weak anti-money laundering policies at the placement stage to receive cash deposits that are later transferred to other jurisdictions.
  • The real estate and construction sectors will become even more attractive for money laundering both in terms of investment and as a justification for the movement of funds.
  • Migrant smuggling: While the economic impact of the COVID-19 crisis in Europe is not yet clear, it is expected that the impact on economies in the developing world is likely to be even more profound. Prolonged economic instability and the sustained lack of opportunities in some African economies may trigger another wave of irregular migration towards the EU in the mid-term.

Looking longer term some predictions are:

  • Organised crime is highly adaptable and has demonstrated the ability to extract long-term gains from crises, such as the end of the cold war or the global economic of 2007 and 2008.
  • Communities, especially vulnerable groups, tend to become more accessible to organised crime during times of crisis. Economic hardship makes communities more receptive to certain offers, such as cheaper counterfeit goods or recruitment to engage in criminal activity.
  • Mafia-type organised crime groups are likely to take advantage of a crisis and persistent economic hardship by recruiting vulnerable young people, engaging in loan-sharking, extortion and racketeering.
  • Organised crime does not occur in isolation and the state of the wider economy plays a key role. A crisis often results in changes in consumer demand for types of goods and services. This will lead to shifts in criminal markets.

Key factors with an impact on crime during and after the COVID-19 pandemic

Several factors have a significant impact on serious and organised crime during the COVID-19 pandemic. These factors shape criminal behaviour and create vulnerabilities. Based on experience gained during prior crises, it is essential to monitor these factors to anticipate developments and pick up on warning signals.

  • Online activities: more people are spending more time online throughout the day for work and leisure during the pandemic, which has increased the attack vectors and surface to launch various types of cyber-attacks, fraud schemes and other activities targeting regular users.
  • Demand for and scarcity of certain goods, especially of healthcare products and equipment, is driving a significant portion of criminals’ activities in counterfeit and substandard goods and fraud.
  • Payment methods: the pandemic is likely to have an impact on payment preferences beyond the duration of the pandemic. With a shift of economic activity to online platforms, cashless transactions are increasing in number, volume and frequency.
  • Economic downturn: A potential economic downturn will fundamentally shape the serious and organised crime landscape. Economic disparity across Europe is making organised crime more socially acceptable as these groups will increasingly infiltrate economically weakened communities to portray themselves as providers of work and services.
  • Rising unemployment and reductions in legitimate investment may present greater opportunities for criminal groups, as individuals and organisations in the private and public sectors are rendered more vulnerable to compromise. Increased social tolerance for counterfeit goods and labour exploitation has the potential to result in unfair competition, higher levels of organised crime infiltration and, ultimately, illicit activity accounting for a larger share of GDP.

To download a full copy of the report visit Europol’s website.

An earlier post on this website covers advice on Cybersecurity awareness during the COVID-19 pandemic

EPTF holds Seventh Meeting

EPTFThe Seventh Meeting of the EAST Payments Task Force (EPTF) took place on Wednesday 15th April 2020.  Due to the Covid-19 situation it was conducted as a virtual meeting and 16 EPTF members participated.

The EPTF is a specialist task force that discusses security issues affecting the payments industry and that gathers, collates and disseminates related information, trends and general statistics.

The meeting was chaired by Mr Rui Carvalho, EAST Development Director, and key representatives from Card Issuers, International Banks, Law Enforcement, Payment Processors and Solution Providers took part.

There was a detailed discussion on the impact of Covid-19 on fraud and updates were provided from Austria, France, Germany, the Netherlands, Norway, Portugal, Spain and the United Kingdom  Updates were also given by Europol, Group-IB and Trend Micro.

The Group, which meets twice a year, adds value to the payments industry by using the unique and extensive EAST National Member platform and Associate Member network to provide information and outputs that are not currently available elsewhere.  EAST National Members represent 35 countries and outputs from the group are presented to National Member Meetings.  There are 213 EAST Associate Member Organisations from 53 countries and territories.

Investment fraud gang taken down in Bulgaria and Serbia

Investment fraudA large criminal network involved in investment fraud, money laundering and social engineering was taken down in an international investigation, launched one year ago. The action day, which took place in Belgrade and Sofia, went ahead on 2 April despite the current lockdown.

Estimated total losses were €80 million and the fraud affected over 1,000 victims in Germany and Austria, as well as people in other countries.  In Austria  it is estimated that 850 victims lost around €2.2 million, while in Germany hundreds of victims suffered estimated losses of about €10 million.

The suspects, believed to be members of a large criminal network, offered bogus investments in trading products such as binary options and contract for differences (CFDs) on online trading platforms.  The investments started at around €250 and Agents from call centres in Bulgaria and Serbia then manipulated the victims to make much higher investments in non-existent trading products including CFDs and forex (foreign exchange currency market).

During the action day Law enforcement authorities from Bulgaria and Serbia carried out 11 house searches and arrested 9 individuals (5 in Serbia and 4 in Bulgaria). Two of the leaders of the criminal network were arrested in Sofia. The seizures include five properties in Serbia, €2.5 million from a bank account in Germany, electronic equipment and other evidential material. 30 other bank accounts were put under surveillance.  

Advisory Group on Financial ServicesEuropol and Eurojust supported the investment fraud investigation, which involved law enforcement and judicial authorities from Austria, Bulgaria, Germany and Serbia.  

Europol facilitated information exchange and provided analytical support, cross-checking operational information in real-time against its databases to provide leads to investigators in the field, and a Joint Investigation Team between Austria and Germany was set up by Eurojust to coordinate judicial matters.

EAST and Europol have worked together since 2004 and EAST provides secure platforms for public/private sector cooperation in the fight against organised criminal groups engaged in financial crime.  Click here for more information on EAST’s law enforcement relationships.

The EAST Payments Task Force (EPTF) has a specific focus on tackling social enginnering  This Group, which meets twice a year, adds value to the payments industry by using the unique and extensive EAST National Member platform and Associate Member network to provide information and outputs that are not currently available elsewhere.

COVID-19 – Cybersecurity Awareness

CybersecurityThe coronavirus outbreak is still a rising issue for many countries and related lock-downs have forced many people into teleworking – working at home, while communicating with their office by phone or email, or using the Internet.  This raises cybersecurity concerns.

Malign actors are actively exploiting these new challenging circumstances to target remote workers, businesses and individuals alike.  It is vitally important for everyone to be fully aware of the threats and to ensure that anything transacted over the Internet is done safely and securely.

To help with this awareness Europol has provided ‘Safe Teleworking Tips and Advice’ for both employees and employers, as well as tips on  ‘How To Make Your Home a Cyber Safe Stronghold’ (available for download in 13 languages).

EAST and Europol have worked together since 2004 and EAST provides secure platforms for public/private sector cooperation in the fight against organised criminal groups engaged in financial crime.  Click here for more information on EAST’s law enforcement relationships.

The EAST Payments Task Force (EPTF) has a specific focus on cybersecurity.  This Group, which meets twice a year, adds value to the payments industry by using the unique and extensive EAST National Member platform and Associate Member network to provide information and outputs that are not currently available elsewhere.

EAST EGAP holds 13th Meeting in The Hague

The 13th meeting of the EAST Expert Group on ATM and ATS Physical Attacks (EGAP) took place on Tuesday 3rd March 2020 in The Hague.

EAST EGAP is a European specialist expert forum for discussion of ATM and ATS related physical attack trends, attack methodologies and counter-measures, threat protection, and for the provision of regularly updated lists of manufacturers of ATM protective devices. The latest lists can be downloaded from the ‘Stained Banknotes’ page on this website (bottom of page).

The meeting was chaired by Mr Graham Mott of the LINK Scheme and was attended by key representatives from Law Enforcement, Terminal Deployers, ATM Networks and Security Equipment Vendors.  Europol gave a central assessment of the ATM physical attack situation in Europe and National Threat Assessments were shared by representatives from fifteen countries.

A presentation was given by ESTA, the Cash Management Companies Association and an update from the European Central Bank (ECB) was shared.

EAST EGAP, which meets twice each year, enables in-depth and technical discussion to take place. The areas covered include:

  • The latest incidents and criminal MOs
  • The collection and distribution of best practice guidelines
  • The evolution of threats and counter-measures
  • Lessons from and on law enforcement

50th EAST Meeting hosted by PSA in Vienna

The 50th EAST Meeting (National Members) was hosted by Payment Services Austria (PSA) in Vienna on 12th February 2020. The meeting was chaired by Martine Hemmerijckx of Worldline NV/SA, who co-founded EAST with Lachlan Gunn, EAST Executive Director, in 2004.

This was a milestone meeting and the last in the current format as, in June 2020, EAST will hold its 1st Global Congress.  In recognition of her work in founding and supporting EAST, and on behalf of the EAST Board and members, Lachlan presented Martine with an award.

National country crime updates were provided by 20 countries, and a global update by HSBC.  Topics covered included payment fraud and the continuing evolution of payment technology and related threats, terminal related fraud attacks, malware and logical attacks, and ATM related physical attacks.

The Criminal Intelligence Service Austria presented on the prevention of e-commerce fraud.  The European Cybercrime Centre (EC3) at Europol gave a presentation on forthcoming Europol activities for 2020, with a specific focus on Carding Action Week (CAW) .  This was followed by a presentation from the Gulf Cooperation Council Police (GCCPOL) that gave an update on payment and fraud issues seen by their 6 member countries.

Presentations were also given by the EAST Payments Task Force (EPTF) and the EAST Expert Group on All Terminal Fraud (EGAF).  An update was given by the EAST Expert Group on ATM and ATS Physical Attacks (EGAP).

EAST Fraud Update 1-2020 will be produced later this month, based on the national country crime updates provided at the 50th EAST Meeting.  EAST Fraud Updates are available on the EAST Website to EAST Members.

Europol publishes Turkish language version of ATM Logical Attack Guidelines

EuropolATM has just published a Turkish language version of guidelines to help industry and law enforcement counter the ATM Logical Attack threat.  The English version of the document was officially launched in January 2019 at the 17th Meeting of the EAST Expert Group on All Terminal Fraud (EAST EGAF).  The document is now available in EnglishFrench, GermanSpanish, Russian and Turkish.

The production of this document was coordinated by EAST EGAF.  It has three sections:

  1. Description of Modi Operandi (Hareket Tarzi Açiklamas i)
  2. Mitigating the risk of ATM Logical and Malware Attacks, Setting up Lines of Defence (ATM’lere Yönelik Mantiksal ve Kötü Niyetli Yazilim Saldirilarinin Risklerini Hafifletmek Savunma Hatlari Kurmak)
  3. Identifying and responding  to Logical and Malware Attacks (Mantiksal ve KÖTÜ Niyetli Yazilim Saldirilarini Saptamak ve Yanitlamak)

The Guidelines were first published in 2015 and this latest version provides clearer definitions and greater clarity of the criminal methods and techniques encountered in these attacks, along with more detailed recommendations on how to mount a robust and effective response to them.  The recent fall in ATM malware and logical attacks, as reported by EAST in the latest European Payment Terminal Crime Report published in October 2019, reflects the work that has been put into preventing such attacks by the industry and law enforcement.

Circulation of the document is restricted to Law Enforcement and to the banking and payments industry, which includes EAST Members (National and Associate).