Europol
Investigators shut down network of cyber criminals
Boris Pistorius (SPD), Interior Minister of Lower Saxony, made a statement on the mission. Photo: Moritz Frankenberg/dpa
© dpa-infocom GmbH
Cyber crime is booming. The number of attacks is increasing – online extortion is good business for criminals. Investigators from ten countries have now eliminated a criminal network.
European investigators have rendered a network of cybercriminals harmless, preventing damage worth millions.
In ten countries, 15 servers have been switched off, which would have ensured the anonymity of criminals on the Internet, said the European police authority Europol in The Hague. The starting point of the two-year investigation was a cyber attack on the city administration of Neustadt am Rübenberge in 2019 – according to the lead police department in Hanover. Various authorities around the world were involved.
According to Europol, criminals used the infrastructure of the VPNLab.net service for serious cyber crimes. VPN («virtual private network» or «virtual private network») offers users the opportunity to communicate anonymously – without outsiders having a look. Criminals also use the service for secure access to the Internet.
The action was already on Monday. In addition to the police headquarters in Hanover and the public prosecutor’s office in Verden, Europol and the European judicial authority Eurojust, who made contact with investigators from the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia and Ukraine, were involved. The FBI in the USA and investigators in Great Britain were also involved.
Common approach
The city administration of Neustadt am Rübenberge in the Hanover region was one of the well-known victims of cybercrime in 2019, where parental allowance applications, building plans and much more were encrypted. The administration of the city, which has around 45,000 inhabitants, was therefore unable to offer individual services until the first quarter of 2020. In addition to municipalities, companies are also affected. The aim of the criminals: the data will be released again for a ransom.
Lower Saxony’s Interior Minister Boris Pistorius said that the so-called “takedown” of the network shows “that we as security authorities are able to put a stop to serious criminal cyber networks”. The SPD politician emphasized: “The sharpest sword against international criminals is a joint and closely coordinated approach.” There were first arrests, he said: “Whether we get all the criminals individually is another matter.” According to the President of the Hanover Police Department, Volker Kluwe, data stored in the network has been recorded and is now being evaluated. During the two-year investigation period, around 100 cyber attacks were prevented.
Lower Saxony’s Minister of Justice, Barbara Havliza, explained that cyber attacks are a real threat – “for all of us”. The CDU politician said: “Once the malware is in the system, the consequences are often catastrophic. The ransom demands are in the millions, and the loss of sensitive data can cause enormous damage.”
According to Europol, VPNLab.net has existed since 2008. The service was “particularly popular with cyber criminals,” according to Europol. The reason: it also offered a dual VPN with servers in multiple countries. With that, the services could have been used to commit crimes – without fear of being discovered by the authorities. According to the Hanover Police Department, VPN services are offered by many providers worldwide and are also used for legal purposes to protect against tracking.
Damages in the millions
The provider was targeted by the investigators when clarifying various cases. Europol estimates that serious cyber attacks could be prevented. The malware sent via the server is “Ryuk” – software used by criminal organizations to attack authorities, companies and institutions and to extort ransom, the police said. In attacks with this malware, the perpetrators have repeatedly caused damage in the millions.
According to the police, “Ryuk” is so-called “ransomware” (“ransom” means ransom, “ware” is the abbreviation for software). If the program gets onto a computer or a network, it encrypts photos, videos, documents or entire databases. A text file with a ransom demand is left on the end device. System copies are therefore also encrypted or deleted. Removing the malware or restoring the system to a point in time before the attack means that the files cannot be decrypted even if a payment is made.
According to the police, if the software penetrates a network, it can switch on computers that are switched off via a WLAN connection in order to infect them. The attack usually takes the form of a phishing e-mail – an e-mail with a link or file attached. “Ryuk” is also offered as a service – one criminal group offers it to another and gets a percentage of the extorted loot.
Pistorius, a member of Europol’s control committee, once again called for the authority’s competencies and resources to be expanded: “Perpetrators have long been acting extremely dynamically and across borders. The answer can only be a strong European authority in the network of European security authorities.”