Europol has halted the operations of VPNLab, a virtual private network that provided anonymity and encryption services for cybercrime groups, including ransomware gangs. Europol reported that 15 servers were seized in Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the US, and the UK.
All internet services of VPNLab are reported to be offline, and the associated domains now display the Europol seizure message on their landing pages. The operation was coordinated and led by the Central Criminal Office of the Hannover Police Department in Germany. During the investigation, law enforcement authorities were able to recover information about over one hundred organizations that were at imminent risk of a cyber attack and are working now to inform the potential victims.
So called “bullet proof” hosting providers often operate in jurisdictions where there is no political or legal priority to halt criminal operations. A renewed focus on addressing flagrant violators within cooperating jurisdictions will make it incrementally harder for cyber criminals to disguise their activities, or at least cost them time as they adjust.
It is important to note that cyber criminal operations routinely use domain fronting, content delivery networks, and rented space on large providers, such as Microsoft Azure and Amazon Web Services, to disguise their activities. Due to this, the actual criminal infrastructure is seldom directly seen by organizations under attack. Cyber Intelligence activities, whether in-house or outsourced, can provide lists of domains, IP addresses, and services that can be added to firewall and Managed Detection and Response (MDR) deny lists to help prevent attacks.