Europol lifts the lid on cybercrime tactics

The European Union Agency for Law Enforcement Cooperation (Europol), has published a report that examines developments in cyberattacks, discussing new methodologies and threats observed by Europol’s operational analysts. The report also discusses the criminal organizations behind cyberattacks and the influence of geopolitical events.

The report follows the Internet Organized Crime Assessment (IOCTA), Europol’s assessment of the cybercrime landscape and how it has changed over the last 24 months.

When it comes to the most deployed tactics, the report holds no big surprises.

“Phishing emails containing malware, Remote Desktop Protocol (RDP) brute forcing and Virtual Private Network (VPN) vulnerability exploitation are the most common intrusion tactics used by cybercriminals. Legitimate software and tools built into operating systems are then misused to establish persistence and traverse their victims’ networks.”

Cybercriminals usually gain initial access through compromised user credentials or by exploiting vulnerabilities in the targeted infrastructure.

Ransomware is named as the most prominent threat with a broad reach and a significant financial impact on industry. This in contrast to an FBI report that stated more money is lost to investment fraud than ransomware and business email compromise (BEC) combined. But if we look at news coverage then ransomware is certainly the most prominent one. And we have seen that the number of ransomware attacks and the height of the ransomware demands have gone up.

Affiliate programs remain the most observed form of organization for ransomware groups. The most common service providers for ransomware groups include initial access brokers (IABs), crypter developers, droppers-as-a-service, money laundering, and bullet-proof hosting services.

These groups work closely with other malware-as-a-service groups to compromise high-revenue targets and post huge ransom demands, running into millions of Euros. IAB’s will typically sell the access they have gained to other criminals, who could be inside or outside of the same criminal organization. Compromised organizations can be exposed to several simultaneous or consecutive cyber-attacks because the IABs usually do not offer exclusivity of their assets to the buyers.

Another trend flagged in the Europol report is that most ransomware groups are still using the multi-layered extortion method, with indications that the theft of sensitive information might become the core threat. The information theft is also seen to be feeding an ecosystem of criminals dealing in and making use of personal and financial information.

The Russian conflict with Ukraine led to a significant boost in Distributed Denial of Service (DDoS) attacks against EU targets. The most noticeable DDoS attacks were politically motivated and coordinated by pro-Russian hacker groups. Together with Russia’s internal politics it has uprooted cybercriminals pushing them to move to other jurisdictions.

Confirming several observations made by researchers, Europol points out that criminals have shifted their preference of using malicious macros in favor of container files after Microsoft blocked macros delivered over the Internet in its applications. Criminals are using SEO techniques and search-engine advertising tools to lure potential victims to web pages masquerading as download sites for popular software programs, which actually deliver malware to the victim’s system.

Other notable facts:

  • Mobile malware campaigns are less prolific after the takedown of Flubot.
  • Cyberattacks are becoming more targeted and continue causing disruptions in all sectors.
  • Crypters have become a key component in malware development operations.
  • Microsoft Exchange Server vulnerabilities are another common intrusion tactic.
  • Ransomware groups sometimes rent separate servers for victim data exfiltration, but are increasingly moving toward using legitimate cloud storage providers.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.