This VPN service used by cyber criminals to deliver ransomware has just been taken down by police

Joint action supported by Europol has seized servers used by criminals and identified more than 100 businesses that have fallen victim to attacks.
Written by Danny Palmer, Senior Writer

A VPN service used by criminals to distribute ransomware, malware and facilitate other forms of cybercrime has been taken offline following a coordinated international operation by police.

As part of the joint action by Europol, Germany's Hanover Police Department, the FBI, the UK's National Crime Agency (NCA) and others, the 15 servers used by the VPNLab.net service have been seized or disrupted, rendering it no longer available.

Europol said multiple investigations uncovered criminals using the VPNLab.net service to facilitate illicit activities such as malware distribution. Other cases showed the service's use in the setting up of infrastructure and communications behind ransomware campaigns, as well as the actual deployment of ransomware. 

SEE: A winning strategy for cybersecurity (ZDNet special report)

Europol said that VPNLab.net was established in 2008, offering services based on OpenVPN technology and 2048-bit encryption to provide online anonymity for as little as $60 per year. The service also provided double VPN, with servers located in many different countries. "This made VPNLab.net a popular choice for cyber criminals, who could use its services to carry on committing their crimes without fear of detection by authorities," the agency said.

Cyber criminals also used the service to deploy malware while avoiding detection by authorities – but now the servers have been seized, law enforcement is investigating customer data in an attempt to identify cyber criminals and victims of cyberattacks.

Europol hasn't disclosed which forms of malware and ransomware the VPN service was being used to distribute.

As a result of the investigation, more than 100 businesses have been identified as at risk of cyberattacks and law enforcement is working directly with them in an effort to mitigate any potential compromise.

"The actions carried out under this investigation make clear that criminals are running out of ways to hide their tracks online," said Edvardas Šileris, head of Europol's European Cybercrime Centre (EC3).

"Each investigation we undertake informs the next, and the information gained on potential victims means we may have pre-empted several serious cyberattacks and data breaches," he added.

The disruptive action against VPNLab took place on 17 January 2022 and involved authorities from Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the United States and the United Kingdom, along with support from Europol.

"One important aspect of this action is also to show that, if service providers support illegal action and do not provide any information on legal requests from law enforcement authorities, that these services are not bulletproof," said Volker Kluwe, chief of Hanover Police Department, which led the take down.

"This operation shows the result of an effective cooperation of international law enforcement agencies, which makes it possible to shut down a global network and destroy such brands," he added.

The action represents the latest international operation by law enforcement agencies targeting cyber criminals and the services they use to facilitate attacks, and comes days after Russian authorities said they arrested members of the REvil ransomware gang.


Editorial standards