LockBit Ransomware group disrupted by Police

Law enforcement from 10 countries have disrupted the criminal operation of the LockBit ransomware group at every level, severely damaging their capability and credibility.  LockBit is widely recognised as the world’s most prolific and harmful ransomware, causing billions of euros worth of damage.  This followed a complex investigation led by the UK’s National Crime Agency (NCA) in the framework of an international taskforce known as ‘Operation Cronos’, coordinated at the European level by Europol and Eurojust.  A vast amount of data gathered throughout the investigation is now in the possession of law enforcement. This data will be used to support ongoing international operational activities focused on targeting the leaders of this group, as well as developers, affiliates, infrastructure and criminal assets linked to these criminal activities.

  • The operation has resulted in the compromise of LockBit’s primary platform and other critical infrastructure that enabled their criminal enterprise. This included the takedown of 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States, and the United Kingdom.
  • Two LockBit actors were arrested in Poland and Ukraine at the request of the French judicial authorities. Three international arrest warrants and five indictments have also been issued by the French and U.S. judicial authorities.
  • Authorities have frozen more than 200 cryptocurrency accounts linked to the criminal organisation, underscoring the commitment to disrupt the economic incentives driving ransomware attacks.
  • The UK’s NCA has  taken control of the technical infrastructure that allows all elements of the LockBit service to operate, as well as their leak site on the dark web, on which they previously hosted the data stolen from victims in ransomware attacks.

Decryption tools available on ‘No More Ransom’

With Europol’s support, the Japanese Police, the NCA and the US Federal Bureau of Investigation (FBI) have concentrated their technical expertise to develop decryption tools designed to recover files encrypted by the LockBit Ransomware.

These solutions have been made available for free on the ‘No More Ransom’ portal, available in 37 languages. So far, more than 6 million victims across the globe have benefitted from ‘No More Ransom’ which contains over 120 solutions capable of decrypting more than 150 different types of ransomware.

About Lockbit

  • LockBit first emerged at the end of 2019, first calling itself ‘ABCD’ ransomware.  Since then, it has grown rapidly and in 2022 it became the most deployed ransomware variant across the world.
  • The group is a ‘ransomware-as-a-service’ operation, meaning that a core team creates its malware and runs its website, while licensing out its code to affiliates who launch attacks.
  • LockBit’s attack presence is seen globally, with hundreds of affiliates recruited to conduct ransomware operations using LockBit tools and infrastructure.  Ransom payments were divided between the LockBit core team and the affiliates, who received on average three-quarters of the ransom payments collected.
  • The ransomware group is also infamous for experimenting with new methods for pressuring their victims into paying ransoms.  Triple extortion is one such method which includes the traditional methods of encrypting the victim’s data and threatening to leak it, but also incorporates Distributed Denial-of-Service (DDoS) attacks as an additional layer of pressure.
  • The gang’s move to triple extortion was partly influenced by a DDoS attack they themselves experienced, which impeded their ability to publish stolen data.  In response, LockBit enhanced their infrastructure to resist such attacks.

This infrastructure is now under law enforcement control, and more than 14,000 rogue accounts responsible for exfiltration or infrastructure have been identified and referred for removal by law enforcement.  For more information read the Europol Press announcement.

EAST Response

EAST focusses on tackling ransomware and cybercrime through the EAST Expert Group on Payment and Transaction Fraud (EPTF). The next EPTF meeting will be held on 17th April 2024.

Europol publishes report on malware-based cyber attacks

Europol has published a spotlight report “Cyber Attacks: The Apex of Crime-as-a-Service”, which sheds light on malware and DDoS attacks and unveils ransomware groups’ business structures as observed by Europol’s operational analysts.  The report, that follows Europol’s Internet Organised Crime Assessment (IOCTA) 2023, also outlines the types of criminal structures that are behind cyber-attacks, and how these increasingly professionalised groups are exploiting changes in geopolitics as part of their modi operandi.

This report is the first in a series of Spotlight Reports released by Europol as part of the IOCTA 2023.  Each takes a closer look at emerging trends in a specific area of cybercrime.  Other modules within the IOCTA 2023 look at online fraud and child sexual exploitation.

Key findings of the Report

  • Malware-based cyber attacks remain the most prominent threat to industry;
  • Ransomware affiliate programs have become established as the main form of business organisation for ransomware groups;
  • Phishing emails containing malware, Remote Desktop Protocol (RDP) brute forcing and Virtual Private Network (VPN) vulnerability exploitation are the most common intrusion tactics;
  • The Russian war of aggression against Ukraine led to a significant boost in Distributed Denial of Service (DDoS) attacks against EU targets;
  • Initial Access Brokers (IABs), droppers-as-a-service and crypter developers are key enablers utilised in the execution of cyber-attacks;
  • The war of aggression against Ukraine and Russia’s internal politics have uprooted cybercriminals, pushing them to move to other jurisdictions.

Europol’s response to Cybercrime

Europol provides dedicated support for cybercrime investigations in the EU and thus helps protect European citizens, businesses and governments from online crime.  Europol offers operational, strategic, analytical and forensic support to Member States’ investigations, including malware analysis, cryptocurrency-tracing training for investigators, and tool development projects.  Based in Europol’s European Cybercrime Centre (EC3), the Analysis Project Cyborg focuses on the threat of cyber-attacks and supports international investigations and operations into cyber criminality affecting critical computer and network infrastructures in the EU.

EAST response to Cybercrime

EAST focusses on tackling cybercrime through two of its Expert Groups – the EAST Expert Group on Payment and Transaction Fraud (EPTF) and the EAST Expert Group on All Terminal Fraud (EGAF).

Ransomware infrastructure taken down by Police

Europol supported the German, Dutch and US authorities to take down the HIVE ransomware infrastructure.  Law enforcement identified the decryption keys and shared them with many of the victims, helping them regain access to their data without paying the cybercriminals.  Around €120 million was saved due to mitigation efforts.  This international operation involved authorities from 13* countries.

HIVE ransomware has been identified as a major threat as it has been used to compromise and encrypt the data and computer systems of large IT and oil multinationals in the EU and the USA.  Since June 2021, over 1,500 companies from over 80 countries worldwide have fallen victim to HIVE associates and lost almost €100 million in ransom payments.

Affiliates executed the cyberattacks, but the HIVE ransomware was created, maintained and updated by developers.  Affiliates used the double extortion model of ‘ransomware-as-a-service’:

  • first, they copied data and then encrypted the files.
  • Then, they asked for a ransom to both decrypt the files and to not publish the stolen data on the Hive Leak Site.
  • When the victims paid, the ransom was then split between affiliates (who received 80 %) and developers (who received 20 %).

Europol streamlined victim mitigation efforts with other EU countries, which prevented private companies from falling victim to HIVE ransomware.  Law enforcement provided the decryption key to companies which had been compromised in order to help them decrypt their data without paying the ransom.  This prevented the payment of more than US$130 million or the equivalent of about €120 million of ransom payments.

Europol facilitated the information exchange, supported the coordination of the operation and funded operational meetings in Portugal and the Netherlands.  Europol also provided analytical support linking available data to various criminal cases within and outside the EU, and supported the investigation through cryptocurrency, malware, decryption and forensic analysis.

The EAST Expert Group on Payment and Transaction Fraud (EPTF) focuses on the security of payments and transactions and covers the prevention of ransomware within its brief. The 14th EAST EPTF meeting took place on 9 November 2022.

Hit by Ransomware? 136 free tools are now available to rescue your files

The No More Ransom initiative is offering 136 free tools to rescue files held to ransom.  The scheme has just celebrated its 6th Anniversary and over 10 million people have now downloaded its decryption tools.  It is a great example of a successful public-private partnership initiative – to date it has helped over 1.5 million people successfully decrypt their devices without needing to pay the criminals. The portal is available in 37 languages in order to better assist victims of ransomware across the globe.

Launched by Europol, the Dutch National Police (Politie) and IT security companies, the No More Ransom portal initially offered four tools for unlocking different types of ransomware and was available only in English.  Last year a new website was launched. Six years later the scheme offers 136 free tools for 165 ransomware variants, including Gandcrab, REvil/Sodinokibi, Maze/Egregor/Sekhmet and more.  Over 188 partners from the public and private sector have joined the scheme, regularly providing new decryption tools for the latest strains of malicious software.

The best cure against ransomware remains diligent prevention. You are strongly advised to:

  • Regularly back up data stored on your electronic devices.
  • Watch your clicks – do you know where a link will take you?
  • Do not open attachments in e-mails from unknown senders, even if they look important and credible.
  • Ensure that your security software and operating system are up to date.
  • Use two-factor authentication (2FA) to protect your user accounts.
  • Limit the possibility to export large amounts of corporate data to external file exchange portals.
  • If you become a victim, do not pay! Report the crime and check No More Ransom for decryption tools.

Crypto Sheriff helps define the type of ransomware affecting your device. This enables a check to see if there is a solution available. If there is, you will be provided with a link to download the decryption solution

VPN used by Cybercriminals taken down

A joint action by Europol and 10 countries against the criminal misuse of VPN services, targeted the users and infrastructure of VPNLab.net.  This resulted in the take down of 15 servers.  The VPN service aimed to offer shielded communications and Internet access, and was being used in support of serious criminal acts such as ransomware deployment and other cybercrime activities.

VPNCoordinated disruptive actions took place on 17 January 2022 in Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the United States and the United Kingdom.  Law enforcement authorities have now seized or disrupted the 15 servers that hosted VPNLab.net’s service, rendering it no longer available. Led by the Central Criminal Office of the Hannover Police Department in Germany, the action took place under the EMPACT security framework objective Cybercrime – Attacks Against Information Systems.

VPNLab.net was established in 2008, offering services based on OpenVPN technology and 2048-bit encryption to provide online anonymity for as little as USD 60 per year.  The service also provided double VPN, with servers located in many different countries. This made VPNLab.net a popular choice for cybercriminals, who could use its services to carry on committing their crimes without fear of detection by authorities.

Law enforcement took interest in the provider after multiple investigations uncovered criminals using the VPNLab.net service to facilitate illicit activities such as malware distribution.  Other cases showed the service’s use in the setting up of infrastructure and communications behind ransomware campaigns, as well as the actual deployment of ransomware.  At the same time, investigators found the service advertised its services on the dark web.

As a result of the investigation, over one hundred businesses have been identified as at risk of cyberattacks.  Law enforcement is working directly with these potential victims to mitigate their exposure.

Europol’s European Cybercrime Centre (EC3)Money Mule Action provided support for the action day through its Analysis Project ‘CYBORG’, which organised more than 60 coordination meetings and 3 in-person workshops, as well as providing analytical and forensic support.

The following authorities took part in this operation:

  • Germany: Hanover Police Department (Polizeidirektion Hannover) – Central Criminal Office
  • Netherlands: The Dutch National Hi-Tech Crime Unit
  • Canada: Royal Canadian Mounted Police, Federal Policing
  • Czech Republic: Cyber Crime Section – NOCA (National Organized Crime Agency)
  • France: Sous-Direction de la Lutte Contre la Cybercriminalité à la Direction Centrale de la Police Judiciaire (SDLC-DCPJ)
  • Hungary: RSSPS National Bureau of Investigation Cybercrime Department
  • Latvia: State Police of Latvia (Valsts Policija) – Central Criminal Police Department
  • Ukraine: National Police of Ukraine (Національна поліція України) – Cyberpolice Department
  • United Kingdom: The National Crime Agency
  • United States: Federal Bureau of Investigation
  • Eurojust
  • Europol: European Cybercrime Centre (EC3)

IOCTA 2021 Published by Europol

Europol has published its Internet Organised Crime Threat Assessment for 2021 (IOCTA 2021).  This highlights 5 Key Threats:

  • Ransomware affiliate programs enable a larger group of criminals to attack big corporations and public institutions by threatening them with multi-layered extortion methods such as DDoS attacks.
  • Mobile malware evolves with criminals trying to circumvent additional security measures such as two-factor authentication (2FA).
  • Online shopping has led to a steep increase in online fraud.
  • Explicit self-generated material is an increasing concern and is also distributed for profit.
  • Criminals continue to abuse legitimate services such as VPNs, encrypted communication services and cryptocurrencies.

IOCTA 2021 looks into the (r)evolutionary development of these trends, catalysed by the expanded digitalisation of recent years.

  • Criminals have been quick to abuse the current circumstances to increase profits, spreading their tentacles to various areas and exposing vulnerabilities, connected to systems, hospitals or individuals.
  • While ransomware groups have taken advantage of widespread teleworking, scammers have abused COVID-19 fears and the fruitless search for cures online to defraud victims or gain access to their bank accounts.
  • The increase of online shopping in general has attracted more fraudsters.
  • With children spending a lot more time online, especially during lockdowns, grooming and dissemination of self-produced explicit material have increased significantly.
  • Grey infrastructure, including services offering end-to-end encryption, VPNs and cryptocurrencies continue to be abused for the facilitation and proliferation of a large range of criminal activities.

This has resulted in significant challenges for the investigation of criminal activities and the protection of victims of crime.

“Cybercrime is a reality and law enforcement worldwide needs to catch up,” said Edvardas Šileris, Head of Europol’s European Cybercrime Centre (EC3), ”…….Only by working together can we create innovative ideas and practical approaches that can put a halt to cybercrime acceleration. It is essential to establish the environment and resources required to do so,” he added.

The EAST Expert Group on Payment and Transaction Fraud (EPTF), which meets three times each year, focuses on the prevention of payment and transaction fraud, including social engineering and online transactions.  The 11th EAST EPTF meeting took place on 10 November 2021.

New Website launched to help counter Ransomware

Ransomware is malware that locks your computer and mobile devices or encrypts your electronic files. When this happens, you can’t get to the data unless you pay a ransom.  To counter ransomware a free scheme called No More Ransom is helping victims fight back without paying the hackers.  Europol has announced that a new No More Ransom website has been launched to mark the project’s fifth year.  Modern and more user-friendly, the new home of the Crypto Sheriff offers updated information on ransomware, as well as advice on how to prevent a ransomware infection.

The decryptors available in the No More Ransom repository have helped more than six million people to recover their files for free. This prevented criminals from earning almost a billion euros through ransomware attacks. Currently offering 121 free tools able to decrypt 151 ransomware families, it unites 170 partners from the public and private sector. The portal is available in 37 languages.

Ransomware infections occur in different ways, such as through insecure and fraudulent websites, software downloads and malicious attachments. Anyone can be a target – individuals and companies of all sizes.  For best advice on prevention read all the prevention advice on the No More Ransom website.

ransomware

DoubleVPN taken down by international operation

Law enforcement and judicial authorities in Europe, the US and Canada have seized the web domains and server infrastructure of DoubleVPN.  This is a virtual private network (VPN) service which provided a safe haven for cybercriminals to attack their victims.  DoubleVPN was used by ransomware groups.

Servers were seized across the world where DoubleVPN had hosted content, and the web domains were replaced with a law enforcement splash page. This coordinated takedown was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).

DoubleVPN was heavily advertised on both Russian and English-speaking underground cybercrime forums as a means to mask the location and identities of ransomware operators and phishing fraudsters. The service claimed to provide a high level of anonymity by offering single, double, triple and even quadruple VPN connections to its clients.  It was being used to compromise networks all around the world and its cheapest VPN connection cost as little as €22 ($25).

EFECCThe coordinated takedown was led by the Dutch National Police (Politie), under the jurisdiction of the National Public Prosecutor’s Office (Landelijk Parket), with international activity coordinated by Europol and Eurojust.  International cooperation was central to the success of this investigation as the critical infrastructure was scattered across the world.

  • Europol’s European Cybercrime Centre (EC3) supported the investigation from the onset, bringing together all the involved countries to establish a joint strategy. Its cybercrime specialists organised over 30 coordination meetings and four workshops to prepare for the final phase of the takedown, alongside providing analytical and crypto-tracing support. A virtual command post was set up by Europol on the action day to ensure seamless coordination between all the authorities involved in the takedown.
  • Eurojust facilitated the judicial cross-border cooperation and coordination, to ensure an adequate response in order to take down the network. For this purpose, and since October last year, six dedicated coordination meetings took place, organised by Eurojust, and set up a coordination centre during the action day, during which the operation was rolled on the ground by the various national authorities involved.

The EAST Payments Task Force (EPTF), which meets three times each year, focuses on the prevention of payment fraud.  It has provided fraud definitions to be adopted globally when describing or reporting payment or terminal fraud.  Ransomware is classified as a form of Data Compromise.

EAST presents at the ATEFI Security Committee 2021

EAST Development Director Rui Carvalho presented at the ATEFI Security Committee on 30th April 2021, a virtual event.  The impact of the Covid-19 pandemic has made it more important than ever for the sharing of threat intelligence to strengthen security strategies in Electronic Payments.  The event focussed on both physical and cyber security.  Rui shared key information and statistics from the latest EAST Payment Terminal Crime Report, as well as insights from the 9th Meeting of the EAST Payments Task Force (EPTF) held on 14th April 2021.  He covered:

  • ATM Malware & Logical Attacks
  • Terminal Related Fraud
  • ATM Physical Attacks
  • Payment Fraud (social engineering, ransomware, e-skimming)

The event was attended by public officials, law enforcement agencies, regulatory entities, representatives of international organisations, Managers and Network Security Officials, ATEFI Members from the entire LATAM region and Spain, as well as bank officials, representatives of the Latin American Bank Associations, Credit and Debit Card executives, and specialised media.

ATEFI is the Latin American Association of Operators Electronic Funds Transfer and Information Services and represents 20 ATM networks in 14 countries throughout Latin America.

In May 2016 EAST and ATEFI joined forces in order to further strengthen cross border cooperation in combating all types of payment crime including payment card fraud, hi-tech crime and ATM cyber and physical attacks.

Cybercriminals will leverage AI as an attack vector and an attack surface

A jointly developed new report by Europol, the United Nations Interregional Crime and Justice Research Institute (UNICRI) and Trend Micro looking into current and predicted criminal uses of artificial intelligence (AI) has been released.  It provides law enforcers, policymakers and other organisations with information on existing and potential attacks leveraging AI and recommendations on how to mitigate these risks.

The report concludes that cybercriminals will leverage AI both as an attack vector and an attack surface.  Deep fakes are currently the best-known use of AI as an attack vector.  However, the report warns that new screening technology will be needed in the future to mitigate the risk of disinformation campaigns and extortion, as well as threats that target AI data sets.

For example, AI could be used to support:

  • convincing social engineering attacks at scale;
  • document-scraping malware to make attacks more efficient;
  • evasion of image recognition and voice biometrics;
  • ransomware attacks, through intelligent targeting and evasion;
  • data pollution, by identifying blind spots in detection rules.

The paper also warns that AI systems are being developed to enhance the effectiveness of malware and to disrupt anti-malware and facial recognition systems.

The EAST Payments Task Force is focussed on payment issues related to social engineering, malware, ransomware and other cyber threats, and notes that this report is an important step forward in assessing the rapid evolution of cybercrime.

The three organisations make several recommendations to conclude the report:

  • harness the potential of AI technology as a crime-fighting tool to future-proof the cybersecurity industry and policing;
  • continue research to stimulate the development of defensive technology;
  • promote and develop secure AI design frameworks;
  • de-escalate politically loaded rhetoric on the use of AI for cybersecurity purposes;
  • leverage public-private partnerships and establish multidisciplinary expert groups.

For more information and to download the report visit Europol’s website