Closer stakeholder cooperation essential for ransomware investigations to succeed

The scale and impact of ransomware attacks have increased significantly over the past years, in part due to the COVID-19 pandemic. As such, the success of criminal investigations and prosecutions depends more than ever on close cross-border cooperation between public authorities, private companies and victims. Public-private cooperation is particularly valuable in such cases, as companies can preserve and provide the data and evidence investigators need to investigate crimes and identify criminals.

These are some of the main conclusions from the latest edition of the Cybercrime Judicial Monitor, featuring a special focus on ransomware investigations, published this month.

Cooperation between stakeholders in ransomware investigations is essential. This includes the reporting of ransomware attacks by victims, the preservation and possible analysis of digital evidence by private companies, and the investigation and prosecution by public authorities. The international dimension of investigations and the complexity of identifying criminals require early and close cross-border coordination between judicial and law enforcement authorities. Actions by each stakeholder group play a key role in the mitigation of damages, disruption of attacks and the identification and prosecution of perpetrators.

The report, based on practitioners’ input, highlights the challenges encountered in ransomware investigations. These include:

the loss of data and important e-evidence;
the criminal use of encryption and anonymisation techniques preventing the identification of suspects;
the complexity of investigations and the lack or delay of international coordination;
the absence of a harmonised data-retention legal framework; and
insufficient resources and expertise of law enforcement authorities.

Despite these obstacles, practitioners can learn from the many good practices showcased in the report. These include the swift notification of ransomware attacks to relevant authorities and the creation of technical reports by the victim or affected company. Continuous information exchange between the authorities and the victim/technical team has proved highly important. The provision of guidelines for public authorities on how to deal with ransomware attacks, as well as specialised training for police and judicial authorities, is also key.

The report underlines the successful use of joint investigation teams facilitated by Eurojust, which have led to the identification, arrest and prosecution of cybercriminals. The building of trust between public authorities and private companies by sharing information and regular communication is also essential. Although most countries do not have a specific legal framework for public-private cooperation, experience has shown that such frameworks have enabled ransomware investigations to succeed and that they are therefore much needed.

New Major Interventions to Block Encrypted Communications of Criminal Networks

Judicial and law enforcement authorities in Belgium, France and the Netherlands have in close cooperation enabled major interventions to block the further use of encrypted communications by large-scale organised crime groups (OCGs), with the support of Europol and Eurojust. The continuous monitoring of the illegal Sky ECC communication service tool by investigators in the three countries involved has provided invaluable insights into hundreds of millions of messages exchanged between criminals. This has resulted in the collection of crucial information on over a hundred of planned large-scale criminal operations, preventing potential life threatening situations and possible victims.
During an action day, a large number of arrests were made, as well as numerous house searches and seizures in Belgium and the Netherlands.  The operation is an essential part of the continuous effort of judiciary and law enforcement in the EU and third countries to disrupt the illegal use of encrypted communications, as was already displayed last year following the successful de-encryption of the EncroChat communication platform.
As of mid-February, authorities have been able to monitor the information flow of approximately 70 000 users of Sky ECC. Many users of EncroChat changed over to the popular Sky ECC platform, after EncroChat was unveiled in 2020.
By successfully unlocking the encryption of Sky ECC, the information acquired will provide insights into criminal  activities in various EU Member States and beyond and will assist in expanding investigations and solving serious and cross-border organised crime for the coming months, possibly years.
Law enforcement in all three countries has been on a continuous stand by during the last month to be able to provide rapid reactions to possible dangerous criminal activities when required. The newly acquired information will now be analysed further
Investigations into the tool started in Belgium, after mobile phones seized during searches showed the use of Sky ECC  by suspects. Worldwide, approximately 170 000 individuals use the tool, which has its own infrastructure and applications and is operated from the United States and Canada, using computer servers based in  Europe. On a global scale, around three million messages are being exchanged each day via Sky ECC. Over 20 percent of the users are based in Belgium and the Netherlands.
Europol has and will continue to provide the authorities of Belgium, Netherlands and other affected countries with tactical, technical and financial support and will be dealing with this important flow of information on criminal activities in order to prevent threats to life and major crimes.
Eurojust has provided advice and support regarding cross-border judicial cooperation and organised 12 coordination meetings to enable this collaboration. The Agency will continue to provide this support and stands ready for further advice and cross-border operational financial support to all Member States and countries involved, to ensure an adequate cross-border judicial cooperation.