Europol reveals how ransomware gangs are evolving to evade capture

Image of a Europol sign affixed to its Amsterdam headquarters
(Image credit: Shutterstock)

Ransomware gangs are continuing to profit on the business model as they develop new attack methodologies to evade law enforcement, Europol said on Thursday.

The European law enforcement agency released its annual Internet Organised Crime Threat Assessment (IOCTA) which revealed the latest cyber security trends that organisations in the region should be aware of for the coming year, including novel approaches to ransomware and DDoS attacks.

Europol claimed ransomware will continue to proliferate across the continent but the industry can expect to see more restrictions placed on who or what type of organisations are targeted.

Citing recent pressures and successful stings from law enforcement agencies, Europol said attacks will be focused more on private corporations than those in the public sector, and that targets are likely to be chosen based on how much negative press or public outcry might be created following an attack.

There have been a number of instances where ransomware gangs have changed their policies on target selection, Europol said. For example, DarkSide stated it would introduce moderation after the Colonial Pipeline attack drew global attention.

Avaddon also introduced measures to avoid targets in the Commonwealth of Independent States, and REvil has prohibited attacks on social and governmental services of any country.

A number of ransomware groups have claimed to have ceased operation in recent months. Avaddon said in July that it would follow in the footsteps of DarkSide and Maze in ending their campaigns, while most recently BlackMatter also announced that it too would be shuttering, citing increased pressure from law enforcement agencies.

It raises the question as to whether these groups will actually end their attacks for good or whether they are laying low until the pressure from law enforcement, the public, and the industry is quelled. The BlackMatter a group, for example, is itself believed to be a spin-off of DarkSide and REvil, suggesting that it hackers may rebranding in order to restart their hacking campaigns.


The best defence against ransomware

How ransomware is evolving and how to defend against it


Europol also reported that "double extortion" methods are once again on the rise, having received numerous reports this year. Double extortion has been gaining traction since 2020 but a number of new techniques have been recently observed. This includes voice over internet protocol (VoIP) services being used to call journalists following a ransomware attack to further coerce them into paying.

There have also been cases of attackers threatening victims with further DDoS attacks and leaking of information should a ransom not be paid, according to the report.

The evolving techniques and a restricted approach to targeting victims has led to 300%+ increase in ransom payments being made compared to the period between 2019 and 2020.

The IOCTA report also highlighted the re-emergence of monetarily-driven distributed denial of service attacks (DDoS) - knocking organisations' networks offline before demanding a payment.

More instances have been observed by the EU's law enforcement agency of cyber criminals launching small-scale DDoS attacks on their targets, showing them the damage they're capable of, then stopping to contact and demand a ransom payment.

The results of this attack vector have been mixed, Europol said, and those responsible have been claiming to be members of known advanced persistent threat (APT) groups to scare the victim further into paying.

The types of organisations having been targeted using this method include financial services institutions, internet service providers (ISPs), and small and medium-sized businesses (SMBs).

"This is further evidence of how much of a threat ransom attacks pose to businesses, including those that go beyond ransomware," said Chris Waynforth, assistant vice president of Northern Europe at Imperva. "Our research has seen a surge in ransom-focused DDoS attacks, partly because they can be even easier to carry out than ransomware attacks.

"It’s no coincidence that the number of DDoS attacks has quadrupled in the last year," he added. "Using rapid-fire attacks, averaging just 6 minutes, cyber-criminals demonstrate their capabilities to businesses before sending an extortion demand, threatening much larger attacks if payments aren’t made."

The final major threat Europol drew attention to was mobile-based malware which, the agency said, has previously not been as effective as attackers may have hoped. Despite this, the number of reports have increased significantly.

FluBot is named as one of the most prolific mobile banking trojans currently in circulation across Europe and the US. FluBot's main functionality includes setting invisible overlays that work on various banking apps in order to steal login credentials.

Other malware strains such as Cerberus and TeaBot are also able to intercept SMS-based one-time passcodes sent by financial institutions and two-factor authentication (2FA) codes from apps like Google Authenticator.

"Cybercrime is a reality and law enforcement worldwide needs to catch up,” said Edvardas Šileris, head of Europol’s European Cybercrime Centre. "Events like this bring together public and private entities in recognising the threat and identifying ways to combat it effectively. Only by working together can we create innovative ideas and practical approaches that can put a halt to cybercrime acceleration. It is essential to establish the environment and resources required to do so."

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.