European investigators have rendered a network of cybercriminals harmless, preventing damage worth millions. The European police authority Europol announced on Tuesday in The Hague that 15 servers had been switched off in ten countries, which had ensured the anonymity of criminals on the Internet. The starting point of the two-year investigation was a cyber attack on the city administration of Neustadt am Rübenberge in 2019 - according to the lead police department in Hanover. Various authorities around the world were involved.

According to Europol, criminals used the infrastructure of the VPNLab.net service for serious cyber crimes.

VPN ("virtual private network" or "virtual private network") offers users the opportunity to communicate anonymously - without outsiders having a look.

Criminals also use the service for secure access to the Internet.

The action was already on Monday.

In addition to the police headquarters in Hanover and the public prosecutor's office in Verden, Europol and the European judicial authority Eurojust, who made contact with investigators from the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia and Ukraine, were involved.

The FBI in the USA and investigators in Great Britain were also involved.

Release data for ransom

The city administration of Neustadt am Rübenberge in the Hanover region was one of the well-known victims of cybercrime in 2019, where parental allowance applications, building plans and much more were encrypted. The administration of the city, which has around 45,000 inhabitants, was therefore unable to offer individual services until the first quarter of 2020. In addition to municipalities, companies are also affected. The aim of the criminals: the data will be released again for a ransom.

Lower Saxony's Interior Minister Boris Pistorius said that the so-called "takedown" of the network shows "that we as security authorities are able to put a stop to serious criminal cyber networks". The SPD politician emphasized: "The sharpest sword against international criminals is a joint and closely coordinated approach." Lower Saxony's Justice Minister Barbara Havliza explained that cyber attacks are a real threat - "for all of us". The CDU politician said: "Once the malware is in the system, the consequences are often catastrophic. The ransom demands are in the millions, the loss of sensitive data can cause huge damage.”

According to Europol, VPNLab.net has existed since 2008. The service was "particularly popular with cyber criminals," according to Europol. The reason: it also offered a dual VPN with servers in multiple countries. With that, the services could have been used to commit crimes – without fear of being discovered by the authorities. According to the Hanover Police Department, VPN services are offered by many providers worldwide and are also used for legal purposes to protect against tracking.

The provider was targeted by the investigators when clarifying various cases.

Europol estimates that serious cyber attacks could be prevented.

The malware sent via the server is "Ryuk" - software used by criminal organizations to attack authorities, companies and institutions and to extort ransom, the police said.

In attacks with this malware, the perpetrators have repeatedly caused damage in the millions.

The attack is usually carried out via phishing mail

According to the police, "Ryuk" is so-called "ransomware" ("ransom" means ransom, "ware" is the abbreviation for software). If the program reaches a computer or a network, it encrypts photos, videos, documents or entire databases. A text file with a ransom demand is left on the end device. System copies are therefore also encrypted or deleted. Removing the malware or resetting the system to a point in time before the attack means that the files cannot be decrypted even if a payment is made.

According to the police, if the software penetrates a network, it can switch on computers that are switched off via a WLAN connection in order to infect them.

The attack is usually carried out via phishing email – an email with a link or a file attached.

"Ryuk" is also offered as a service - one criminal group offers it to another and gets a percentage of the extorted loot.

Pistorius, a member of Europol's control committee, once again called for the authority's competencies and resources to be expanded: "Perpetrators have long been acting extremely dynamically and across borders.

The answer can only be a strong European authority in the network of European security authorities.”