Europol announced on Tuesday that several law enforcement authorities dismantled a VPN service that was being utilized by cybercriminals in order to deploy ransomware.
In a coordinated operation on Monday, 12 law enforcement agencies - including ones from Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the United States and the United Kingdom - seized or disrupted 15 servers that hosted the service of VPNLab.net.
The provider offered virtual private network (VPN) services for $60 a year (previous VPN services used by cybercriminals, such as safe-inet.net, have been advertised for prices ranging from $1.3 a day to $190 a year, according to reports). However, Europol said that VPNLab.net was a popular choice for cybercriminals for avoiding detection while launching various malicious activities. Multiple investigations found the VPN provider’s services being used to set up infrastructure and communications behind ransomware campaigns and to deploy ransomware, leading to cyberattacks on more than 100 businesses, according to Europol.
Volker Kluwe, chief of the Hanover Police Department, said in a statement that the operation shows that VPN services that support illegal action are not “bulletproof.”
“This operation shows the result of an effective cooperation of international law enforcement agencies, which makes it possible to shut down a global network and destroy such brands,” said Kluwe.
A message left on the domain of VPNLab.net, which has been rendered unavailable, said that the customer data stored as part of these servers has also been seized and the investigation regarding this customer data will continue.
"This sends a clear signal that law enforcement will actively go after criminally run services that enable cybercrime."
The service was also being advertised on underground forums, according to Europol. Mark Arena, CEO at Intel 471, said that the forum administrator of Verified, for instance, actively advertised the VPN service since 2009. Verified is a Russian and English language cybercrime forum known for carding and banking fraud discussions as well as advertisements for related services. The forum has a user base of over 180,000 registered users, said Arena.
Typically, VPN providers will utilize a contact form for internet users to report some form of abuse they observe, and legitimate providers will restrict access to bad actors, or turn data over to law enforcement if they requested to do so, said Arena.
“However, in the case of VPN providers that are well-known to cybercriminals, they often don’t respond to takedown or abuse requests because it would damage their reputation with their customer base,” he said. “It should be noted that VPNLab almost certainly was a criminally run service for cybercriminals, by cybercriminals, and wasn’t an abused service.”
The European Union Agency for Law Enforcement Cooperation (Europol), which facilitates global information sharing on organized crime, has previously spearheaded operations against VPN services being used by cybercriminals. In June, Europol announced that law enforcement had gained access to the servers of DoubleVPN, which it said was used by ransomware operators and attackers behind phishing emails. And in 2020, Europol also announced that the VPN service Safe-Inet was shut down after it was discovered being abused by attackers for ransomware and e-skimming breaches.
“This sends a clear signal that law enforcement will actively go after criminally run services that enable cybercrime,” said Arena. “Whilst there can be a blurring of the lines between whether an online service is legitimate, being abused or is criminally run for cybercriminals, services that are actively advertised on the cybercriminal underground makes it clear that these services are made to commit crime and it’s a matter of when, rather than if that law enforcement will look into it.”