zephyr_p - stock.adobe.com

Police take down VPN linked to multiple ransomware hits

German police led a multinational effort to seize and take down the LabVPN service, which was allegedly used by cyber criminals to facilitate ransomware attacks

The LabVPN virtual private network (VPN) service has been taken offline and its infrastructure seized in a multinational police operation, having allegedly been employed by cyber criminal gangs to support ransomware campaigns.

The Europol-aided operation on 17 January 2022 spanned 10 countries and involved 12 law enforcement agencies. It was led by the Hanover Police Department in Germany and saw 15 servers seized, with the network’s UK-based node taken offline by the National Crime Agency (NCA).

The takedown is the result of a two-year investigation prompted by an August 2019 cyber attack on the local administration of Neustadt am Rübenberge, a small town of around 45,000 located near to Hanover.

LabVPN is accused of allowing its service to be used by cyber criminals in both the preparation and execution of ransomware attacks that have caused significant economic damage to many businesses, including in the UK.

The service was set up in 2008 and offered VPN services on the dark web based on OpenVPN technology, backed with 2048-bit encryption for around $60 per annum. This allegedly made it a popular choice for malicious actors.

Its web domain has now been replaced with a law enforcement splash page explaining the network has been seized and is no longer usable.

“Cyber criminals using LabVPN clearly thought they could operate with impunity and remain under the radar of law enforcement,” said the NCA’s John Denley, deputy director of the national cyber crime unit.

“This operation shows they were wrong and that there is no hiding place from the combined power of  global law enforcement when it comes to taking down illegal IT infrastructure. This included the NCA switching off servers which were being hosted in the UK.

“We continue to work closely with international partners to bolster our capability to respond to this national security threat and strengthen the UK’s response to cyber crime,” said Denley.

In a statement translated by Computer Weekly via Google, Boris Pistorius, deputy minister of the interior and sport for the state of Lower Saxony, said: “The takedown of this network, through which thousands of cyber criminals have exchanged their communications and plans, is a great success for the officers, especially the officers involved at the Hanover Police Department.

“This shows once again that we, as security authorities, are able to put a stop to serious criminal cyber networks and to uncover and solve thousands of criminal offenses in cyber space. The sharpest sword against internationally active criminals is a joint and closely coordinated approach.

This is how we show the criminals that the state has means and resources at their disposal to take effective action against them. I would like to give my special thanks to everyone involved in this action,” said Pistorius. 

Edvardas Šileris, head of the European Cybercrime Centre (EC3) at Europol, added: “The actions carried out under this investigation make clear that criminals are running out of ways to hide their tracks online. Each investigation we undertake informs the next, and the information gained on potential victims means we may have pre-empted several serious cyber attacks and data breaches.”

Besides EC3 and the British and German authorities, the operation also involved agencies in Canada, Czechia, France, Hungary, Latvia, the Netherlands, Ukraine and the US.

Read more about cyber crime

Read more on Hackers and cybercrime prevention

Data Center
Data Management