Germany and Ukraine hit two high-value ransomware targets

The German Regional Police (Landeskriminalamt Nordrhein-Westfalen) and the Ukrainian National Police (Націона́льна полі́ція Украї́ни), with support from Europol, the Dutch Police (Politie) and the United States Federal Bureau of Investigations, targeted suspected core members of the criminal group responsible for carrying out large-scale cyberattacks with the DoppelPaymer ransomware.

This ransomware appeared in 2019, when cybercriminals started using it to launch attacks against organisations and critical infrastructure and industries. Based on the BitPaymer ransomware and part of the Dridex malware family, DoppelPaymer used a unique tool capable of compromising defence mechanisms by terminating the security-related process of the attacked systems. The DoppelPaymer attacks were enabled by the prolific EMOTET malware.

The ransomware was distributed through various channels, including phishing and spam emails with attached documents containing malicious code — either JavaScript or VBScript. The criminal group behind this ransomware relied on a double extortion scheme, using a leak website launched by the criminal actors in early 2020. German authorities are aware of 37 victims of this ransomware group, all of them companies. One of the most serious attacks was perpetrated against the University Hospital in Düsseldorf. In the US, victims payed at least 40 million euros between May 2019 and March 2021.

During the simultaneous actions, German officers raided the house of a German national, who is believed to have played a major role in the DoppelPaymer ransomware group. Investigators are currently analysing the seized equipment to determine the suspect’s exact role in the structure of the ransomware group. At the same time, and despite the current extremely difficult security situation that Ukraine is currently facing due to the invasion by Russia, Ukrainian police officers interrogated a Ukrainian national who is also believed to be a member of the core DoppelPaymer group. The Ukrainian officers searched two locations, one in Kiev and one in Kharkiv. During the searches, they seized electronic equipment, which is currently under forensic examination.
Europol on-site to speed up forensic analysis of seized data

On the action days, Europol deployed three experts to Germany to cross-check operational information against Europol’s databases and to provide further operational analysis, crypto tracing and forensic support. The analysis of this data and other related cases is expected to trigger further investigative activities. Europol also set up a Virtual Command Post to connect the investigators and experts from Europol, Germany, Ukraine, the Netherlands and the United States in real time and to coordinate activities during the house searches. Europol’s Joint Cybercrime Action Taskforce (J-CAT) also supported the operation. This standing operational team consists of cybercrime liaison officers from different countries who work on high-profile cybercrime investigations.

From the beginning of the investigation, Europol facilitated the exchange of information, coordinated the international law enforcement cooperation and supported the operational activities. Europol also provided analytical support by linking available data to various criminal cases within and outside the EU, and supported the investigation with cryptocurrency, malware, decryption and forensic analysis.

IOCTA 2021 unveils the most recent cyber threat (r)evolutions

The accelerated digitalisation related to the COVID-19 pandemic has significantly influenced the development of a number of cyber threats, according to the new edition of Europol’s Internet Organised Crime Threat Assessment. Criminals have been quick to abuse the current circumstances to increase profits, spreading their tentacles to various areas and exposing vulnerabilities, connected to systems, hospitals or individuals. While ransomware groups have taken advantage of widespread teleworking, scammers have abused COVID-19 fears and the fruitless search for cures online to defraud victims or gain access to their bank accounts. The increase of online shopping in general has attracted more fraudsters. With children spending a lot more time online, especially during lockdowns, grooming and dissemination of self-produced explicit material have increased significantly. Grey infrastructure, including services offering end-to-end encryption, VPNs and cryptocurrencies continue to be abused for the facilitation and proliferation of a large range of criminal activities. This has resulted in significant challenges for the investigation of criminal activities and the protection of victims of crime.

In addition to expanding the efforts to tackle these threats from a law enforcement perspective, it is crucial to add another level of protection in terms of cybersecurity. The implementation of measures such as multi-factor authentication and vulnerability management are of utmost importance to decrease the possible exposure to cyber threats. Awareness raising and prevention are key components in reducing the effectiveness of cyberattacks and other cyber enabled criminal activities.

The key threats:

- Ransomware affiliate programs enable a larger group of criminals to attack big corporations and public institutions by threatening them with multi-layered extortion methods such as DDoS attacks.
- Mobile malware evolves with criminals trying to circumvent additional security measures such as two-factor authentication.
- Online shopping has led to a steep increase in online fraud.
- Explicit self-generated material is an increasing concern and is also distributed for profit.
- Criminals continue to abuse legitimate services such as VPNs, encrypted communication services and cryptocurrencies.

The new edition of Europol’s Internet Organised Crime Threat Assessment, launched today, looks into the (r)evolutionary development of these trends, catalysed by the expanded digitalisation of recent years. The report was presented during the Europol-INTERPOL Cybercrime Conference. The conference gathered about 100 experts together to share their insights into the latest cybercrime trends and threats and to discuss how innovation is essential in countering cybercrime acceleration.

12 targeted for involvement in ransomware attacks against critical infrastructure

A total of 12 individuals wreaking havoc across the world with ransomware attacks against critical infrastructure have been targeted as the result of a law enforcement and judicial operation involving eight countries.

These attacks are believed to have affected over 1 800 victims in 71 countries. These cyber actors are known for specifically targeting large corporations, effectively bringing their business to a standstill.

The actions took place in the early hours of 26 October in Ukraine and Switzerland. Most of these suspects are considered high-value targets because they are being investigated in multiple high-profile cases in different jurisdictions.

As the result of the action day, over USD 52 000 in cash was seized, alongside 5 luxury vehicles. A number of electronic devices are currently being forensically examined to secure evidence and identify new investigative leads.

The targeted suspects all had different roles in these professional, highly organised criminal organisations. Some of these criminals were dealing with the penetration effort, using multiple mechanisms to compromise IT networks, including brute force attacks, SQL injections, stolen credentials and phishing emails with malicious attachments.

Once on the network, some of these cyber actors would focus on moving laterally, deploying malware such as Trickbot, or post-exploitation frameworks such as Cobalt Strike or PowerShell Empire, to stay undetected and gain further access.

The criminals would then lay undetected in the compromised systems, sometimes for months, probing for more weaknesses in the IT networks before moving on to monetising the infection by deploying a ransomware. These cyber actors are known to have deployed LockerGoga, MegaCortex and Dharma ransomware, among others.

The effects of the ransomware attacks were devastating as the criminals had had the time to explore the IT networks undetected. A ransom note was then presented to the victim, which demanded the victim pay the attackers in Bitcoin in exchange for decryption keys.

A number of the individuals interrogated are suspected of being in charge of laundering the ransom payments: they would funnel the Bitcoin ransom payments through mixing services, before cashing out the ill-gotten gains.
International cooperation

International cooperation coordinated by Europol and Eurojust was central in identifying these threat actors as the victims were located in different geographical locations around the world.

Initiated by the French authorities, a joint investigation team (JIT) was set up in September 2019 between Norway, France, the United Kingdom and Ukraine with financial support of Eurojust and assistance of both Agencies. The partners in the JIT have since been working closely together, in parallel with the independent investigations of the Dutch and U.S. authorities, to uncover the actual magnitude and complexity of the criminal activities of these cyber actors to establish a joint strategy.

Eurojust established a coordination centre to facilitate cross-border judicial cooperation during the action day. In preparation of this, seven coordination meetings were held.

Europol’s European Cybercrime Centre (EC3) hosted operational meetings, provided digital forensic, cryptocurrency and malware support and facilitated the information exchange in the framework of the Joint Cybercrime Action Taskforce (J-CAT) hosted at Europol’s headquarters in The Hague.

Coordinated Action Cuts Off Access to VPN Service Used by Ransomware Groups

Law enforcement and judicial authorities in Europe, the US and Canada have seized the web domains and server infrastructure of DoubleVPN. This is a virtual private network (VPN) service which provided a safe haven for cybercriminals to attack their victims.
This coordinated takedown, led by the Dutch National Police (Politie), under jurisdiction of the National Public Prosecutor’s Office (Landelijk Parket), with international activity coordinated by Europol and Eurojust, has now ended the availability of this service.
Servers were seized across the world where DoubleVPN had hosted content, and the web domains were replaced with a law enforcement splash page. This coordinated takedown was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).
DoubleVPN was heavily advertised on both Russian and English-speaking underground cybercrime forums as a means to mask the location and identities of ransomware operators and phishing fraudsters. The service claimed to provide a high level of anonymity by offering single, double, triple and even quadruple VPN-connections to its clients.
DoubleVPN was being used to compromise networks all around the world. Its cheapest VPN-connection cost as little as €22 ($25).
INTERNATIONAL COORDINATION
International cooperation was central to the success of this investigation as the critical infrastructure was scattered across the world.
- Europol’s European Cybercrime Centre (EC3) supported the investigation from the onset, bringing together all the involved countries to establish a joint strategy. Its cybercrime specialists organised over 30 coordination meetings and four workshops to prepare for the final phase of the takedown, alongside providing analytical and crypto-tracing support. A virtual command post was set up by Europol on the action day to ensure seamless coordination between all the authorities involved in the takedown.
- Eurojust facilitated the judicial cross-border cooperation and coordination, to ensure an adequate response in order to take down the network. For this purpose, and since October last year, six dedicated coordination meetings took place, organised by Eurojust, and set up a coordination centre during the action day, during which the operation was rolled on the ground by the various national authorities involved.

New Major Interventions to Block Encrypted Communications of Criminal Networks

Judicial and law enforcement authorities in Belgium, France and the Netherlands have in close cooperation enabled major interventions to block the further use of encrypted communications by large-scale organised crime groups (OCGs), with the support of Europol and Eurojust. The continuous monitoring of the illegal Sky ECC communication service tool by investigators in the three countries involved has provided invaluable insights into hundreds of millions of messages exchanged between criminals. This has resulted in the collection of crucial information on over a hundred of planned large-scale criminal operations, preventing potential life threatening situations and possible victims.
During an action day, a large number of arrests were made, as well as numerous house searches and seizures in Belgium and the Netherlands.  The operation is an essential part of the continuous effort of judiciary and law enforcement in the EU and third countries to disrupt the illegal use of encrypted communications, as was already displayed last year following the successful de-encryption of the EncroChat communication platform.
As of mid-February, authorities have been able to monitor the information flow of approximately 70 000 users of Sky ECC. Many users of EncroChat changed over to the popular Sky ECC platform, after EncroChat was unveiled in 2020.
By successfully unlocking the encryption of Sky ECC, the information acquired will provide insights into criminal  activities in various EU Member States and beyond and will assist in expanding investigations and solving serious and cross-border organised crime for the coming months, possibly years.
Law enforcement in all three countries has been on a continuous stand by during the last month to be able to provide rapid reactions to possible dangerous criminal activities when required. The newly acquired information will now be analysed further
Investigations into the tool started in Belgium, after mobile phones seized during searches showed the use of Sky ECC  by suspects. Worldwide, approximately 170 000 individuals use the tool, which has its own infrastructure and applications and is operated from the United States and Canada, using computer servers based in  Europe. On a global scale, around three million messages are being exchanged each day via Sky ECC. Over 20 percent of the users are based in Belgium and the Netherlands.
Europol has and will continue to provide the authorities of Belgium, Netherlands and other affected countries with tactical, technical and financial support and will be dealing with this important flow of information on criminal activities in order to prevent threats to life and major crimes.
Eurojust has provided advice and support regarding cross-border judicial cooperation and organised 12 coordination meetings to enable this collaboration. The Agency will continue to provide this support and stands ready for further advice and cross-border operational financial support to all Member States and countries involved, to ensure an adequate cross-border judicial cooperation.

Criminal Network Stealing over €12m from US-Based Banks Broken

The criminal network deceived 50 financial institutions through shell companies
A cross-border operation coordinated by Europol and led by the Spanish National Police (Policía Nacional) and the US Secret Service resulted in the dismantling of an organised crime group involved in fraud and money laundering. The operation involved also police services from Austria, Denmark and Greece as well as the US Department of Justice and the US Financial Crimes Enforcement Network (FinCEN).
On the coordinated from Europol action day, 6 October 2020, law enforcement offices carried out more than 40 house searches, arrested 37 suspects (2 in Austria, 11 in Greece, 23 in Spain and 1 in the UK) and seized 13 luxury cars. The follow up actions led to the freeze of 87 bank accounts worth €1.3 million.
Overall results:
- 105 suspects arrested
- 88 house searches
- Over €12 million in damages
- 87 accounts with more than €1.3 million frozen
- €406 000 euros seized in cash
- 14 high-end vehicles seized
- 19 European arrest warrants executed
The criminal organisation, mainly formed of Greek nationals, set up shell companies in the United States and opened bank accounts for these companies. To gain the trust of the financial institutions, members of the criminal network made transfers to the US-based accounts from different locations in the EU. Based on this trust, the American-based banks issued debit and credit cards for these accounts. Retailers in on the scam, most of whom were in Spain, used the payment cards to finance the available credited amounts on the cards. To launder the stolen funds, they transferred them to different bank accounts, owned by members of the criminal network located in several EU countries. More than 50 American financial institutions became victims of these fraudulent activities losing over €12 million.
Europol facilitated the information exchange, the operational coordination and provided analytical support for this eight months long investigation. During the operation, Europol set up a coordination centre at its headquarters with the use of a virtual command post to enable liaison officers from the involved countries, Europol experts and a representative from Eurojust to coordinate the operational activities. Europol also deployed an analyst to Greece to provide real-time analytical support to investigators on the ground.
The Joint Cybercrime Action Taskforce (J-CAT) at Europol supported the operation. This standing operational team consists of cyber liaison officers from different countries who work from the same office on high profile cybercrime investigations.

Cybercriminals Favourite VPN Taken Down in Global Action

The virtual private network (VPN) Safe-Inet used by the world’s foremost cybercriminals has been taken down in a coordinated law enforcement action led by the German Reutlingen Police Headquarters together with Europol and law enforcement agencies from around the world.
The Safe-Inet service was shut down and its infrastructure seized in Germany, the Netherlands, Switzerland, France and the United States. The servers were taken down, and a splash page prepared by Europol was put up online after the domain seizures. This coordinated takedown was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).
Active for over a decade, Safe-Inet was being used by some of the world’s biggest cybercriminals, such as the ransomware operators responsible for ransomware, E-skimming breaches and other forms of serious cybercrime.
This VPN service was sold at a high price to the criminal underworld as one of the best tools available to avoid law enforcement interception, offering up to 5 layers of anonymous VPN connections.
Law enforcement were able to identify some 250 companies worldwide which were being spied on by the criminals using this VPN. These companies were subsequently warned of an imminent ransomware attack against their systems, allowing them to take measures to protect themselves against such an attack.
The service has now been rendered inaccessible.
Investigations are ongoing in a number of countries to identify and take action against some of Safe-Inet’s users.
International police cooperation was central to the success of this investigation as the critical infrastructure was scattered across the world.
Europol’s European Cybercrime Centre (EC3) supported the investigation from the onset, bringing together all the involved countries to establish a joint strategy and to organise the intensive exchange of information and evidence needed to prepare for the final phase of the takedown.