Europol reveals how ransomware gangs are evolving to evade capture

The annual crime report explains how ransomware continues to grow in profitability despite recent capture attempts, and the novel ways DDoS attackers are attacking businesses

Ransomware gangs are continuing to profit on the business model as they develop new attack methodologies to evade law enforcement, Europol said on Thursday.

The European law enforcement agency released its annual Internet Organised Crime Threat Assessment (IOCTA) which revealed the latest cyber security trends that organisations in the region should be aware of for the coming year, including novel approaches to ransomware and DDoS attacks.

Europol claimed ransomware will continue to proliferate across the continent but the industry can expect to see more restrictions placed on who or what type of organisations are targeted.

Citing recent pressures and successful stings from law enforcement agencies, Europol said attacks will be focused more on private corporations than those in the public sector, and that targets are likely to be chosen based on how much negative press or public outcry might be created following an attack.

There have been a number of instances where ransomware gangs have changed their policies on target selection, Europol said. For example, DarkSide stated it would introduce moderation after the Colonial Pipeline attack drew global attention.

Avaddon also introduced measures to avoid targets in the Commonwealth of Independent States, and REvil has prohibited attacks on social and governmental services of any country.

A number of ransomware groups have claimed to have ceased operation in recent months. Avaddon said in July that it would follow in the footsteps of DarkSide and Maze in ending their campaigns, while most recently BlackMatter also announced that it too would be shuttering, citing increased pressure from law enforcement agencies.

It raises the question as to whether these groups will actually end their attacks for good or whether they are laying low until the pressure from law enforcement, the public, and the industry is quelled. The BlackMatter a group, for example, is itself believed to be a spin-off of DarkSide and REvil, suggesting that it hackers may rebranding in order to restart their hacking campaigns.

Related Resource

The best defence against ransomware

How ransomware is evolving and how to defend against it

Blue padlock Free download

Europol also reported that "double extortion" methods are once again on the rise, having received numerous reports this year. Double extortion has been gaining traction since 2020 but a number of new techniques have been recently observed. This includes voice over internet protocol (VoIP) services being used to call journalists following a ransomware attack to further coerce them into paying.

There have also been cases of attackers threatening victims with further DDoS attacks and leaking of information should a ransom not be paid, according to the report.

The evolving techniques and a restricted approach to targeting victims has led to 300%+ increase in ransom payments being made compared to the period between 2019 and 2020.

The IOCTA report also highlighted the re-emergence of monetarily-driven distributed denial of service attacks (DDoS) - knocking organisations' networks offline before demanding a payment.

More instances have been observed by the EU's law enforcement agency of cyber criminals launching small-scale DDoS attacks on their targets, showing them the damage they're capable of, then stopping to contact and demand a ransom payment.

The results of this attack vector have been mixed, Europol said, and those responsible have been claiming to be members of known advanced persistent threat (APT) groups to scare the victim further into paying.

The types of organisations having been targeted using this method include financial services institutions, internet service providers (ISPs), and small and medium-sized businesses (SMBs).

"This is further evidence of how much of a threat ransom attacks pose to businesses, including those that go beyond ransomware," said Chris Waynforth, assistant vice president of Northern Europe at Imperva. "Our research has seen a surge in ransom-focused DDoS attacks, partly because they can be even easier to carry out than ransomware attacks.

"It’s no coincidence that the number of DDoS attacks has quadrupled in the last year," he added. "Using rapid-fire attacks, averaging just 6 minutes, cyber-criminals demonstrate their capabilities to businesses before sending an extortion demand, threatening much larger attacks if payments aren’t made."

The final major threat Europol drew attention to was mobile-based malware which, the agency said, has previously not been as effective as attackers may have hoped. Despite this, the number of reports have increased significantly.

FluBot is named as one of the most prolific mobile banking trojans currently in circulation across Europe and the US. FluBot's main functionality includes setting invisible overlays that work on various banking apps in order to steal login credentials.

Other malware strains such as Cerberus and TeaBot are also able to intercept SMS-based one-time passcodes sent by financial institutions and two-factor authentication (2FA) codes from apps like Google Authenticator.

"Cybercrime is a reality and law enforcement worldwide needs to catch up,” said Edvardas Šileris, head of Europol’s European Cybercrime Centre. "Events like this bring together public and private entities in recognising the threat and identifying ways to combat it effectively. Only by working together can we create innovative ideas and practical approaches that can put a halt to cybercrime acceleration. It is essential to establish the environment and resources required to do so."

Featured Resources

Seven steps to connect and empower your frontline workers

How business leaders can improve communication with a secure platform

Free download

Create what’s next

The future of collaboration and productivity

Free Download

Leveraging the cloud without relinquishing control

Your data. Their cloud.

Free download

Re-architecting for nonstop innovation

Unlocking productivity, scalability, and lower costs for cloud natives

Free Download

Recommended

TikTok phishing campaign tried to scam over 125 influencer accounts
social media

TikTok phishing campaign tried to scam over 125 influencer accounts

18 Nov 2021
Out-of-hours ransomware attacks have a greater impact on revenue
ransomware

Out-of-hours ransomware attacks have a greater impact on revenue

18 Nov 2021
US and Israel join forces to fight ransomware
ransomware

US and Israel join forces to fight ransomware

15 Nov 2021
Smart luggage is not so smart when it comes to cyber security
cyber security

Smart luggage is not so smart when it comes to cyber security

15 Nov 2021

Most Popular

How to speed up Microsoft's Windows 11
Microsoft Windows

How to speed up Microsoft's Windows 11

9 Nov 2021
Nike to take customers into the metaverse with 'NIKELAND'
virtualisation

Nike to take customers into the metaverse with 'NIKELAND'

19 Nov 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

12 Nov 2021