Anyone who calls up the VPNLab.net page only gets a “This domain has been seized” – This page has been confiscated. Various ransomware attacks were routed and malware distributed via the VPN network, such as Ryuk. The special VPN network with two cascaded servers run by over 12 international law enforcement agencies in Operation Cyborg.
On Monday, January 17.01.2022th, 2019, the investigators from the Hanover police department and the Verden public prosecutor's office managed to take several servers of VPNLab.net, from which cybercriminal groups operate, offline (so-called "takedown"). Various law enforcement agencies around the world were involved in the large-scale operation. The network has probably been spreading malware since XNUMX, such as Ryuk (see Miter), which is used in ransomware attacks.
Successful strike against international cybercrime
All 15 server locations were determined. These servers belonged to an Internet service provider that makes so-called VPN (English for Virtual Private Network) available to its customers. A VPN guarantees the user protected and anonymous communication, as well as secure access to the Internet. The data traffic is encrypted and forwarded via servers at locations other than those of the end devices used. The service provider concerned also offered its customers Double VPN. The online activities are not only hidden behind one, but two servers. The data traffic is sent from the end device to a remote VPN server. From there in turn to another VPN server with a different location.
VPNLab.net: Double VPN covers ransomware attackers
More than two years of meticulous investigative work and the networking of ten countries and twelve international law enforcement agencies prevent damage in the millions: The starting point for this successful strike was, of all things, the cyber attack on the Neustadt am Rübenberge city administration in August 2019. The specialist inspectorate for criminal offenses was responsible for the investigations the cybercrime area of the Hanover police department in cooperation with the public prosecutor's office in Verden, which is also responsible for this area.
The VPNLab.net network from which the attacks were coordinated was located and taken offline yesterday Monday. This shows once again that we, as security authorities, are able to put a stop to serious criminal cyber networks and uncover and solve thousands of crimes in cyberspace. The sharpest sword against international criminals is a joint and closely coordinated approach.
Information Superhighway for Ranomsware Ryuk
In the present case, the malware sent via the server is the “Ryuk” malware. This is used internationally by criminal organizations to attack authorities, companies and institutions and to extort ransom money from them so that their digital infrastructure can be used again. In an attack with this malware, the perpetrators repeatedly cause damage in the millions. A number of criminal groups networked via the servers that were now switched off, set up organized structures and launched attacks on hospitals, universities and companies with various ransomware other than just “Ryuk”.
The following authorities were involved in the operation
- Germany: Hanover Police Department (Polizeidirektion Hannover) – Central Criminal Office and Verden Public Prosecutor's Office
- Netherlands: The Dutch National Hi-Tech Crime Unit
- Canada: Royal Canadian Mounted Police, Federal Policing
- Czech Republic: Cyber Crime Section – NOCA (National Organized Crime Agency)
- France: Sous-Direction de la Lutte Contre la Cybercriminalité à la Direction Centrale de la Police Judiciaire (SDLC-DCPJ)
- Hungary: RSSPS National Bureau of Investigation Cybercrime Department
- Latvia: State Police of Latvia (Valsts Policija) – Central Criminal Police Department
- Ukraine: National Police of Ukraine (Національна поліція України) – Cyberpolice Department
- United Kingdom: The National Crime Agency
- United States: Federal Bureau of Investigation
- Eurojust
- Europol: European Cybercrime Center (EC3)
More at Europol.europa.eu