A VPN service frequently used by cybercriminals to launch ransomware attacks and spread malware online has been taken down as part of a joint operation between Europol and law enforcement authorities from 10 different countries. On January 17, disruptive actions took place in a coordinated manner in Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine the US and the UK as law enforcement from each country seized or disrupted 15 servers used to host VPNLab.net.
Europol’s European Cybercrime Centre (EC3) provided support for the operation through its Analysis Project ‘CYBORG’ which organized over 60 coordination meetings and three in-person workshops while also providing both analytical and forensic support.
Head of the EC3, Edvardas Šileris explained in a press release how data gathered in this operation will be used to help Europol find its next target, saying:
“The actions carried out under this investigation make clear that criminals are running out of ways to hide their tracks online. Each investigation we undertake informs the next, and the information gained on potential victims means we may have pre-empted several serious cyberattacks and data breaches.”
A VPN for cybercriminals
First established in 2008, VPNLab.net provided VPN services based on OpenVPN and utilized 2048-bit encryption to provide its customers with online anonymity for as little as $60 per year. In addition to a regular VPN, the site also provided a double VPN where internet traffic would pass through multiple VPN servers before arriving at its destination.
According to Europol, law enforcement first took interest in VPNLab after multiple investigations revealed that cybercriminals were using the service for illicit activities including malware distribution. Meanwhile, other cases showed that the service was used to set up infrastructure and communications behind ransomware campaigns. In a press release, Ukraine’s cyberpolice revealed that VPNLab was used in at least 150 ransomware attacks.
While VPNLab has now been shut down, the owners and operators of the service have yet to be identified, charged or arrested. However, data seized from the service’s servers could hold valuable evidence on who was behind the operation.
At the same time, law enforcement plans to comb through VPNLab’s customer data with the aim of identifying additional ransomware affiliates.