Authorities caught 34 members of the notorious Black Axe gang in Spain known for stealing millions of Euros through online romance scams and email fraud.
Europol and Eurojust led a massive international police operation that successfully dismantled a crypto fraud network that laundered over β¬700M using deepfake ads.
Swiss and German police shut down Cryptomixer, seizing servers, domains and 28M dollars in Bitcoin during an Europol backed action targeting crypto laundering.
Law enforcement authorities from over a dozen countries in Europe and North America have taken part in disrupting the activities of the Hive ransomware group, the U.S. Justice Department and Europol announced. Hive is believed to have targeted various organizations worldwide in the past couple of years, often extorting payments in cryptocurrency.
Captured Decryption Keys Helped Hive Victims Avoid Paying $130 Million in Ransom
Ransomware network Hive, which has had around 1,500 victims in more than 80 countries, has been hit in a months-long disruption campaign, the U.S. Department of Justice (DOJ) and the European Union Agency for Law Enforcement Cooperation (Europol) revealed. A total of 13 nations participated in the operation, including EU member states, the U.K. and Canada.
Hive has been identified as a major cybersecurity threat as the ransomware has been used by affiliated actors to compromise and encrypt data and computer systems of government facilities, oil multinationals, IT and telecom companies in the EU and U.S., Europol said. Hospitals, schools, financial firms, and critical infrastructure have been targeted, the DOJ noted.
It has been one of the most prolific ransomware strains, Chainalysis pointed out, which has collected at least $100 million from victims since its launch in 2021. A recent report by the blockchain forensics company unveiled that revenue from such attacks has decreased last year, with a growing number of affected organizations refusing to pay the demanded ransoms.
According to the announcements by the law enforcement authorities, the U.S. Federal Bureau of Investigation (FBI) penetrated Hiveβs computers in July 2022 and captured its decryption keys, providing them to victims around the world which prevented them from paying another $130 million.
Working with the German Federal Police and the Dutch High Tech Crime Unit, the Bureau has now seized control over the servers and websites that Hive used to communicate with its members and the victims, including the darknet domain where the stolen data was sometimes posted. FBI Director Christopher Wray was quoted as stating:
The coordinated disruption of Hiveβs computer networks β¦ shows what we can accomplish by combining a relentless search for useful technical information to share with victims.
The Hive ransomware was created, maintained and updated by developers while being employed by affiliates in a βransomware-as-a-serviceβ (RaaS) double extortion model, Europol explained. The affiliates would initially copy the data and then encrypt the files before asking for a ransom to decrypt the information and not publish it on the leak site.
The attackers exploited various vulnerabilities and used a number of methods, including single factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols as well as phishing emails with malicious attachments, the law enforcement agencies detailed.
Do you expect police authorities around the world to dismantle more ransomware networks in the near future? Tell us in the comments section below.
In a recent international law enforcement effort, agencies dismantled the infrastructure supporting Emotet. As of July 2020, a global threat index showed that Emotet impactedΒ 5%Β of organizations, worldwide. By early 2021, Emotet had disrupted 19% of organizations around the world.
Check Point expertΒ Lotem Finklestein says calls Emotet, βThe most successful and prevalent malware of 2020 by a long shot.βΒ Emotet earned its reputation due to its dynamic nature, technical features, and the organized business model supporting it.
When did Emotet first emerge on the scene?
Emotet is known as one of the worldβs largest botnets. It has existed since 2014. Initially a banking trojan, Emotet was created toΒ spy on victimsβ banking login credentials.
While easily discoverable by malware tools, Emotet evolved into aΒ malware-as-a-serviceΒ platform that saw extensive use.
The US Department of Homeland Security estimates that incidents involving Emotet cost organizations over $1M, on average.
How did Emotet work?Β
Emotet launched malspam campaigns. These campaigns included malicious attachments. The attachments would leverage a PowerShell to move the Emotet binary from remote websites and machines, adding them to the botnet.
The botnet grew in size and capabilitiesΒ over time.
Emotet also retained worm-like capabilities. Moving from machine to machine across a network was one of its strengths. Emotet was difficult to detect. Most victims could not detect it until long after the infection.
What made the Emotet botnet so successful?Β
Emotet is considered an advanced, self-propagating and modular Trojan. In a single year, the botnet managed to deliver phishing emails with more than 150,000 unique subject lines and 100,000 different file names for the attachments.
The internationally coordinated response
Authorities were able to disrupt Emotet from the inside. βThis operation is the result of a collaborative effort betweenβ¦the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Eropol and Eurojust,β statedΒ Europol.
Two of the three Emotet command and control servers were located in the Netherlands. The Dutch police report that an operation is in place to βreset Emotetβ.
Newly deployed software is expected to release a time-bomb-like code that will uninstall Emotet malware on all computers, worldwide, on April 25th, 2021.
Who created Emotet?
The Emotet botnet was controlled by a group known as TA452, which provided the software to the group that runs TrickBot. Those who run TrickBot are known for disseminating business-destroying Ryuk ransomware.
Emotetβs operators are unique in that they collaborated with other organized crime groups. This allowed them to net higher gains. Itβs also part of how Emotetβs operators gained a foothold in so many organizations.
An investigation into the identity of the criminals responsible for running Emotet is still ongoing.
An under-the-radar Emotet botnet attack?Β
Do you suspect that your organization may have been compromised by Emotet? Β Visit the DutchΒ website that can help you check. The website was established by the Dutch national police. The text can be translated into English.
For organizations that have been hit by Emotet
βAs part of the global remediation strategyβ¦information was distributed worldwide via the network of so-called Computer Emergency Response Teams (CERTs),β saysΒ Europol.
In a Europol-coordinated event, the worldβs largest dark web marketplace, known as DarkMarket, has been dismantled. German authorities arrested a 34 year-old Australian man who is allegedly behind the dark website. Authorities have also seized 20 of the servers connected to the nefarious operations.
Prior to the takedown, DarkMarket hosted nearly 500,000 users. More than 320,000 transactions transpired across its network. Most of the transactions occurred via bitcoin or monero, which were considered largely untraceable forms of payment.
In addition to investigating the websiteβs operator, Europol has announced plans to investigate the buyers and sellers who frequented the site.
Governments getting more aggressive in taking down dark web
On the part of federal agencies, dark website takedowns have grown increasingly aggressive and sophisticated. In 2020, a European investigation led to the take down of sites like Empire Market. As governments have ramped up their efforts, cyber criminals have wound down some of their operations. Fear of prosecution is high and some operators are cutting their losses, taking the money and running.
In the case of the Alphabay marketplace, taken down in 2017, federal agents continued to make arrests for several years after. Dark web marketplace technology can no longer easily outpace law enforcement.
The coordinated approach by European Cybercrime Centre (EC3)
In a comprehensive, coordinated, international program EC2 is:
Sharing intelligence
Developing new tools and techniques to improve dark web investigations
Elevating its threat detection and target detection initiatives
The scale of EC3βs efforts reflect the organizationβs commitment to tackle the use of the dark web as a faΓ§ade for criminal activities.
For more on the removal of DarkMarket, visit The Verge.
Login
