European Authorities Seize VPN Service Tied to RansomwareEuropol: Collaboration and Coordination Led to VPN Service Shutdown
VPN Lab, one of the longest running virtual private network services, known for its alleged wide use by ransomware threat actors, has been shut down. Fifteen servers associated with VPNLab.net were seized or disrupted based on multiple international investigations tying the VPN service provider to cybercrime operations, according to Europol. Associated cybercrimes allegedly ranged from malware distribution to high-value ransomware operations.
Some security experts believe the operation highlights the complexity in bringing cybercriminals to justice. They add that service providers' avoidance of any connection to ransomware campaigns has also proved challenging, though the EU investigation brought tangible results.
According to a statement by Europol, the law enforcement agency for the European Union, the shutdown occurred on Monday under the direction of the European Multidisciplinary Platform Against Criminal Threats, or EMPACT.
Authorities replaced VPNLab's homepage messaging with a statement that the site had been seized. The note says German authorities led a "long-running investigation" and "gained access to the servers and seized the customer data stored within."
The platform, which has been widely connected to cybercrime - in particular, 150 ransomware attacks - is one of the longest-running services, having been established in 2008. It also cost as little as $60 annually, providing an affordable way for cybercriminals to hide their whereabouts.
VPNLab was also a "popular choice" for cybercriminals, according to Europol, which says its double VPN had servers in multiple countries.
Authorities also say in their seizure note that their investigation regarding customer data of this network will continue.
Law enforcement agencies from 10 nations were involved in the seizure, including Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the U.S. and the U.K., and took 60 meetings to coordinate.
The Hunt for Cybercriminals
A significant challenge with enforcement efforts stems from many ransomware gangs operating within the borders of the Russian Federation, says Gareth Owenson, CTO and co-founder of dark net monitoring firm Searchlight Security. Often, when a crackdown takes place, the group just reemerges with a "degree of impunity," he says.
Owenson says this seizure is a telling sign that international authorities are identifying and targeting cybercriminal operations, including zeroing in on how they leverage tools such as VPNs to shield their identities.
"If you're involved in criminality on the dark web, it is very difficult to hide yourself perfectly - you only need to make one mistake for law enforcement to get you," Owenson says.
Neil Jones, a cybersecurity evangelist for the firm Egnyte, says this event puts technology providers on notice as well and calls it a "breath of fresh air" to see authorities shut down a service that has facilitated crypto-locking crimes.
Steve Moore, chief security strategist at Exabeam, adds that it's critical to have the backing of international law enforcement agencies in order to properly address cybercrime.
"Major attacks require the engagement of law enforcement by defenders," he says. "Security teams need to educate their leadership on what this means, specifically as it affects the response timeline."
Varying Roles in Cybercrime
Still, some experts believe there is not enough focus on technology providers that have proven to be an accessory to ransomware.
"In this case, the VPN provider appears to have had a high proportion of criminal actors and may not have been cooperating with law enforcement requests," says Searchlight Security's Owenson. "Facilitating criminality is also often a crime even if they aren't directly dirtying their hands."
Because some service providers have demonstrated an ability to evade the law at times, they largely operate "without any fear of consequence," says John Bambenek, principal threat research for security firm Netenrich.
And Owenson says that VPN providers, if not already doing so, should be more diligent about their client base.
"Those that actively advertise in places where lots of criminality is taking place put themselves at risk of prosecution," he says.
Next Moves for Ransomware Operators
By shutting down VPNLab, dozens of "premeditated cyberattacks" could have been mitigated, says Austin Merritt, a cyberthreat intelligence analyst for the firm Digital Shadows.
Merritt warns, however, that ransomware gangs are quick to reorganize their operations and are constantly seeking out new tools.
"VPNLab is just one of many VPN services that are frequently used by threat actors to conduct illegal cybercriminal activity," says Merritt, adding that high-profile takedowns, such as DoubleVPN in June 2021, prompt cybercriminals to "quickly turn to other criminal VPN services for hosting."
Cybercriminals will often flock to online forums and advertise VPN services that can host a ransomware crime architecture, Merritt says. This poses another predicament for law enforcement authorities, he says, since cyberattack methods are only widening.
"Before this takedown, we saw some threat actors abandon VPNLab just because it was working poorly in recent months. It's realistically possible that cybercriminals have already been shopping for new VPN services, and if they haven't yet, they will likely seek them out in the short term," says Merritt.
Global Fight Against Ransomware
Amid the proliferation of ransomware attacks over the past 12-plus months, the Biden administration, including the U.S. Cybersecurity and Infrastructure Security Agency, has continued its focus on curbing crypto-locking attacks, in part by issuing VPN security recommendations in 2021.
The U.S. has sanctioned cryptocurrency platforms - which have often been used to launder ill-gotten gains connected to cybercrime - such as Russian-based Suex and Chatex (see: US Treasury Blacklists Russia-Based Crypto Exchange).
Last week, Russian authorities also arrested alleged REvil-linked ransomware operators. It remains to be seen whether this operation will alter Russian cybercrime patterns.
"A single arrest or takedown is not enough to stop cybercrime that’s earning billions of dollars a year," says Netenrich's Bambenek. For long-lasting change to set in, he adds, takedowns such as that of VPNLab would need to happen more frequently.
"If [large-scale crackdowns] continue against other providers, the ability of ransomware operators to continue is hampered because they do need these services," he says.