Emotet, the most dangerous malware in the world, has been neutralised

Law enforcement and judicial authorities have succeeded in disrupting one of the most significant botnets of the past decade: Emotet. Investigators have now taken control of its infrastructure in a coordinated international action.

Emotet was one of the most professional and long-lasting cybercrime services out there. First discovered as a banking Trojan in 2014, the malware evolved into a go-to solution for cybercriminals over the years. The Emotet infrastructure essentially acted as a primary door opener for computer systems on a global scale. Once this unauthorised access was established, it was sold to other top-level criminal groups who used it to deploy further illicit activities such as data theft and extortion.

The Emotet group managed to take email as an attack vector to the next level. Through a fully automated process, Emotet malware was delivered to victims’ computers via infected email attachments. A variety of different lures were used to trick users into opening these malicious attachments. In the past, Emotet email campaigns have also been presented as invoices, shipping notices and information about COVID-19.

All these emails contained malicious Word documents, either attached to the email itself or downloadable by clicking on a link within the email. Once a user opened one of these documents, they could be prompted to “enable macros” so that the malicious code hidden in the Word file could run and install Emotet malware on a victim’s computer.

Many botnets like Emotet are polymorphic. This means the malware changes its code each time it is used. Since many antivirus programmes scan the computer for known malware codes, a code change can make it harder to detect, allowing the infection to go initially unnoticed.

Thus, Emotet was much more than just simple malware. What made it so dangerous is that it was rented out to other cybercriminals who used it to install different types of malware, such as banking Trojans or ransomware, on a victim’s computer.

This type of attack is called a ‘loader’ operation, and given that other malware operators like TrickBot and Ryuk were able to benefit from it, Emotet was considered one of the most prominent players in the cybercrime world.

The infrastructure used by Emotet involved several hundreds of servers located all over the world. Each one had different functionalities designed to manage victims’ infected computers, spread the malware to new ones, serve other criminal groups, and, ultimately, make the network more resilient to takedown attempts.

To severely disrupt the Emotet infrastructure, law enforcement agencies teamed up to create an effective operational strategy. Eventually, law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside. Victims’ infected machines were redirected towards this law enforcement-controlled infrastructure. This is a unique and new approach to effectively disrupting the activities of cybercriminals.

The operation was the result of a collaborative effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust. It was carried out within the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).


Aquest apunt en català / Esta entrada en español / Post en français

Cyber-attacks on the healthcare sector increase by 45%

Cyber-attacks on global healthcare organisations increased at more than double the rate of those targeting other sectors in the last two months of 2020.

The latest data from security vendors covers the period from the beginning of November to the end of 2020, and compares it with the previous two months (September-October).

It revealed a 45% increase in attacks on the healthcare sector, versus less than half this figure (22%) for all other sectors. November was particularly bad, with the healthcare sector suffering 626 weekly attacks on average per organisation, compared with 430 in the previous two months.

Although the attacks span a variety of categories — including ransomware, botnets, remote code execution and DDoS — perhaps unsurprisingly, it is ransomware that displayed the largest increase overall and poses the biggest threat.

In fact, financially motivated cybercriminals have been going after the healthcare sector since the start of the COVID-19 crisis, well aware that hospitals and clinics are distracted with the huge surge in cases coming through their doors.

In April, Microsoft revealed how these groups are increasingly using more tactics to gain a foothold in networks, perform lateral movements and credential theft, and exfiltrate data before deploying their ransomware payload.

Central Europe experienced the biggest rise in cyber-attacks on its healthcare sector during the period (145%), followed by East Asia (137%) and Latin America (112%).

Europe recorded a 67% increase, although Spain saw attacks double and Germany recorded a 220% surge. Although North America (37%) saw the smallest rise regionally, Canada experienced the biggest increase of any country, at 250%.

Last year, a number of hospital networks across the globe were successfully hit with ransomware attacks, making cybercriminals hungry for more.

Furthermore, the usage of Ryuk ransomware emphasises the trend of having more targeted and tailored ransomware attacks rather than using a massive spam campaign. This allows the attackers to make sure they hit the most critical parts of the organisation and have a higher chance of getting their ransom paid.

Virtual patching, employee education and being on guard at weekends, when attackers often strike, are crucial tools in the fight against cybercriminals.


Aquest apunt en català / Esta entrada en español / Post en français

2020 cybercrime report

Europol published its Internet Organised Crime Threat Assessment (IOCTA) last October. The IOCTA seeks to inform decision makers on a strategic, tactical and operational level about the threats posed by cybercrime. The 2020 IOCTA helps to set the priorities for the 2021 operational action plans, which follow the three priorities defined below:

1) To interrupt criminal activities related to computer system attacks.

2) To fight against the sexual abuse and sexual exploitation of children, including the production and transfer of material.

3) To target criminals involved in fraud and counterfeiting of non-cash payment methods, including large-scale payment card fraud (especially non-card fraud), emerging threats for other non-cash payment methods and the possibility of activities.

In addition, the IOCTA seeks to consolidate findings on current cyberthreats, which could contribute to the discussion on research and development priorities as well as planning on an EU level.

The outbreak of the COVID-19 pandemic has demonstrated the unfortunate potential of this crisis on our daily lives around the world. As physical boundaries became the norm, cybercrime has become more prominent than ever before. In any case, the COVID-19 pandemic demonstrated how cybercrime remains the same. However, cybercriminals are adapting the specific characteristics of their approach to the social context with a view to improving their success rate. The difference with COVID-19 is that, owing to the physical restrictions implemented in order to prevent the spread of the virus, which led to an increase in people working from home and accessing business resources remotely, many people and companies, who did not previously hold such an online presence, are now a lucrative target.

Traditional cybercrimes, such as phishing and cyber-skill scams, quickly exploited social vulnerabilities, with many citizens and businesses seeking information, answers and sources of help during this time. The spread of misinformation increases the chance of cybercrime occurring. The pandemic also gave rise to misinformation campaigns and activities.

Social engineering remains a major threat in the facilitation of other kinds of cybercrimes. The use of encrypted chat applications and industry proposals to expand this market entails a substantial risk of abuse, and makes it difficult for law enforcement agencies to detect and investigate criminal activity online.

Online communities of cybercriminals present considerable resistance and are continually evolving. Finally, live streaming of child sexual abuse continues to increase, and has become even more frequent during the COVID-19 pandemic.


Aquest apunt en català / Esta entrada en español / Post en français

How COVID-19 is affecting crime

Last month, Europol published a report on how COVID-19 has been affecting crime and terrorism in the EU.

While the pandemic is first and foremost a global public health crisis, it has also proven to have a significant and potentially long-lasting impact on the organised crime and terrorism landscape in Europe, as well as the ability of Member State law enforcement authorities to counter security threats.

While Europe is in the grip of a second wave of the pandemic, the impact of COVID-19 on crime has changed over time. Although some types of crime are here to stay, others come and go with the evolution of the pandemic and its measures. Greater awareness has, however, reduced the impact of some types of crime.

Europol’s report highlights some of the criminal activities to have gained prominence, such as the distribution of counterfeit personal protective equipment, and fake pharmaceutical and sanitary products. An increase in robberies of medical facilities and pharmacies has also been reported.

The area of child sexual abuse has remained a grave concern during the pandemic; with children spending more time online, the risk is potentially increased.

While the number of domestic robberies and common thefts has generally declined in the immediate aftermath of the introduced COVID-19 control measures, these crimes have been on the rise since the easing of the lockdown restrictions. There has been a notable rise in the number of reported robberies of unoccupied commercial premises, ATM attacks, copper theft and light construction vehicle theft.

Criminals have also used various types of schemes involving deception, such as the impersonation of representatives from public authorities or medical staff to gain access to private homes and businesses and steal from them.

Pandemic-themed campaigns have appeared across a wide range of cybercrime activities, including phishing campaigns, ransomware, malware and business email compromise attacks. Healthcare and health-related organisations have also been targeted and fallen victim to ransomware attacks.

The impact of the crisis on the EU drug market appears to have been limited. Some criminals had adapted their modus operandi for the distribution of drugs in order to circumvent barriers. An increase in violence and tensions between drug users has also been identified.

The impact of the pandemic on terrorism and violent extremism has been limited and primarily involved some extremists adapting narratives and propaganda materials to the COVID-19 topic.


Aquest apunt en català / Esta entrada en español / Post en français

Has the Government of El Salvador entered into agreements with the “maras”?

A few days ago, the Salvadoran newspaper El Faro reported that the country’s steep decline in homicides, hailed as the Government’s main achievement during Nayib Bukele’s little over a year-long leadership, was being called into question by a press investigation which claims the success can be attributed to a pact with the ‘mara’ Salvatrucha gang (MS13).

The newspaper published a report, citing official documents and statements from one of the gang’s leaders, which suggest the Government has been in negotiations with MS13 since June 2020, and that the pact would include electoral favours during the 2021 elections.

El Faro’s investigation indicates that negotiations between the Government and the “maras” include the groups’ commitment to back the current officialdom in the election next February. In return, the government has allegedly promised to repeal laws and weaken the maximum security regime in prisons if Bukele’s Nuevas Ideas party gains control of the Legislative Assembly and wins the right to choose the 84 MPs and 262 local governments.

Meanwhile, according to police data, between January the 1st and September the 2nd this year, there were 829 homicides in the country. This figure represents a reduction of approximately 56% on the 1,871 violent deaths recorded during the same period in 2019.

If this trend continues, El Salvador will close 2020 with around 1,200 homicides, representing a murder rate of 18 per 100,000 inhabitants, its lowest figure since 1994.

The “maras” have been declared a terrorist group by El Salvador’s Supreme Court. Therefore, as the evidence supporting the Government’s alleged dialogue with the group mounts and the voices denouncing these links gain credibility, the US State Department and the North-American Congress are becoming increasingly concerned.

Despite the investigative reports, El Salvador’s president, Nayib Bukele, denied his government had made a pact with the “mara” Salvatrucha (MS13) gang to reduce the number of assassinations in exchange for more beneficial custodial terms. Bukele pointed out that the same people who had previously accused the Government of violating the terrorists’ human rights were now accusing it of granting them privileges.

The president recalled the events of last April when the “maras” increased the daily average number of murders for several days. In response, the Salvadoran Government ordered the prisons to confine the “maras” to their cells 24 hours a day, fix metal plates to the bars of their cell doors to prevent them communicating with signals, and ensure gang members were mixed in their cells, regardless of whether they belonged to rival gangs.

However, according to the El Faro newspaper, the decision to mix different gang members in the same prison cell was later repealed following talks between government officials and the heads of the criminal organisations; an accusation denied by the Government.


Aquest apunt en català / Esta entrada en español / Post en français

More cyberattacks in the first six months of 2020 than in the whole of 2019

The profound changes brought about by the COVID-19 pandemic in relation to the growth of remote working, and increasing incidences of ransomware activity have been the two main drivers behind the increase in cyberattacks.

A report by the company CrowdStrike on the recent online threat level affecting its clients revealed more intrusion attempts during the first six months of this year than during the whole of 2019.

The cybersecurity service provider’s threat investigation team blocked some 41,000 possible intrusions between the 1st of January and the 30th of June this year, compared to 35,000 for the whole of last year. Incidents of intrusions involving malicious activity by a cybercriminal during the first six months of 2020, were 154% higher than the number of similar threats identified by CrowdStrike investigators in 2019.

Predictably, one of the major factors responsible for the increased threat activity was the rapid shift to remote work in response to the COVID-19 pandemic. This change significantly expanded the potential attack surface in many organisations, space which the cybercriminals were quick to exploit.

Another contributing factor was the growing availability of ransomware as a service (RaaS) and the consequent increase in the number of users able to carry out network attacks. There was a particularly marked increase in ransomware attacks which also involved the theft of sensitive data and subsequent attempts to extort victims by threatening to make it public.

Despite all the attention that cyber threat and espionage groups have recently garnered, the vast majority of the actual attacks blocked by CrowdStrike during the first six months of this year were financially motivated. In fact, 82% of the attacks detected by the investigators fell into the category of e-crime, compared to 69% in 2019.

As has been the case for some time, organisations in the financial, technology and telecommunications sectors were more active and better protected than organisations in most other sectors. Furthermore, CrowdStrike observed a dramatic increase in intrusion activity involving manufacturing companies.

Indeed, manufacturing was, during the first half of 2020, the second most frequently targeted industry after the technology sector. According to the company, the critical nature of most manufacturing operations and the valuable intellectual property and other data held by manufacturing companies in the sector make it an attractive target for both financially motivated attackers and other cybercriminals.

Other sectors that were increasingly targeted by cybercriminals included healthcare, the food and beverage industry, and academic institutions.


Aquest apunt en català / Esta entrada en español / Post en français

INTERPOL warns of the rising threat posed by cybercrime

369.-baixaIncidences of cybercrime are increasing at an alarming rate as a consequence of the COVID-19 pandemic, and a new report from INTERPOL predicts they will accelerate further.

The report explains how cybercriminals have been exploiting our growing and necessary reliance on digital technology during recent months. This includes a sudden shift to teleworking by many organisations, which has involved the deployment of often unsecured remote systems and networks.

Based on the information provided by its member countries, INTERPOL has concluded that during the pandemic there has been a particularly significant increase in malicious domains (22%), malware and ransomware (36%) and phishing scams (59%).

Threat actors have revised their usual online scams and phishing schemes to commit crimes that feed on people’s financial and health fears during the COVID-19 crisis.

The report has also revealed a significant target shift from individuals and small businesses to major corporations, governments and critical infrastructure which offer more substantial financial gains.

INTERPOL believes that cybercriminals are developing and boosting their attacks at an alarming pace, exploiting the fear and uncertainty caused by the unstable social and economic situation created by COVID-19. The increased online dependency for people around the world is also creating new opportunities, with many businesses and individuals not ensuring their cyber defences are up to date.

The report concludes that a further increase in cybercrime is highly likely in the near future. This is primarily due to vulnerabilities related to working from home, a continued focus on coronavirus-themed online scams and, when a COVID-19 vaccination becomes available, it is highly probable that there will be another spike in phishing related to these medical products.

According to the INTERPOL report, therefore, the COVID-19 pandemic is providing a wealth of opportunities for cybercriminals. In fact, many organisations could be at a greater risk of cyber attacks after turning to remote access solutions such as VPNs.

These remote access points may not be correctly configured or sufficiently secure because the remote computers may not have the latest technology installed. Furthermore, personnel may have had to use their own personal devices to work from home, which presents challenges from a security standpoint.


Aquest apunt en català / Esta entrada en español / Post en français

Ransomware, the other pandemic

368.-baixaWhile the whole world suffers the ravages of the COVID-19 pandemic, another virus, albeit one of a more technical nature, is wreaking havoc everywhere. Although this virus has been around for years, its cases have risen alarmingly in the past few months, and it can have severe consequences for critical activities and organisations such as hospitals, businesses and governments.

This virus is called ransomware. A scheme called No More Ransom is helping victims fight back without paying the hackers. No More Ransom is the first public-private partnership of its kind to help victims of ransomware recover their encrypted data without having to pay the ransom amount to cybercriminals. The initiative’s partners include Europol, Politie, Kaspersky and McAfee.

Since its launch, the No More Ransom decryption tool repository has registered over 4.2 million visitors from 188 countries and stopped an estimated $ 632 million in ransom demands from ending up in criminals’ pockets.

Powered by the contributions of its 163 partners, the portal has added 28 tools in the past year and can now decrypt 140 different types of ransomware infections. The portal is available in 36 languages.

To use it, simply go to the website nomoreransom.org and follow the Crypto Sheriff steps to help identify the ransomware strain affecting the device. If a solution is available, a link will be provided to download the decryption tool for free. No More Ransom goes a long way to help people impacted by ransomware, but there are still many types of ransomware out there without a fix.

Just like the coronavirus pandemic, prevention is better than cure, and fortunately, there are some preventative steps you can take to protect yourself:

  • Always keep a copy of your most important files somewhere else: in the cloud, on another offline drive, on a memory stick, or on another computer.
  • Use reliable and up-to-date anti-virus software.
  • Do not download programs from suspicious sources.
  • Do not open attachments in e-mails from unknown senders, even if they look important and credible.
  • And if you fall victim to a ransomware attack, do not pay the ransom.

We now need an innovative solution for those ransomware families not yet covered by the portal to help victims recover their files without giving in to the demands of the criminals.


Aquest apunt en català / Esta entrada en español / Post en français

Sexual offenders have increased their criminal activities during the COVID-19 pandemic

366.-baixaSince the start of the COVID-19 pandemic, the amount of sexual exploitation material shared has increased: online child abuse, sexual coercion and extortion of minors.

And minors were not exempt as we shifted from the real world to the virtual world: video calls to friends and family, interaction with social networks, online games, use of the internet for education and schooling. The more time they spend online, the more offenders are online, and the greater the exchange of material if they find new victims. Often, these victims are unaware they have been targeted through self-generated material; an area that represents a significant threat to children’s safety.

The current situation has provided sex offenders with the perfect opportunity to access a broader group of potential victims. The report published a few weeks ago by Europol analyses the increased sharing of child sexual exploitation images online and how to confront this serious threat to children’s safety.

The exchange of child abuse material is usually not motivated by financial gains, although offenders do pay for some forms of it, such as live distant child abuse. Through live streaming, offenders unable to travel due to corona restrictions can have children abused at their request.

The economic slow-down related to the COVID-19 pandemic may stimulate an increase in child abuse material produced within vulnerable communities for financial gain. And child abuse material content can also be disguised behind advertisements bringing criminals profits with a “pay per click” formula.

Society, including law enforcement, needs to focus even more on educating children and prevent them from becoming victims in the first place. The best weapon against sexual predators is to educate children to prevent the crimes. The harm resulting from being a victim of this crime is severe, and every time a picture or video is shared, this results in repeat victimisation.

Europol is monitoring the threat and provides continuous support to EU Member States and other law enforcement agencies to identify offenders and victims. The Europe-wide #SayNo campaign seeks to raise children’s awareness of the dangers of sharing explicit material online.

Europol coordinated an investigation in Italy involving more than 200 investigators. The operation, which took place in June 2020, was based on intelligence provided by Europol and directed by the Turin Prosecutor’s Office.

The investigation led to the arrest of 3 individuals, alongside the seizure of thousands of files. During the course of the investigation, the officers discovered that one of the suspects identified had been previously arrested for sexual abuse of children. The summary details the discovery of images and videos of sexual violence in which the victims were mainly babies, 6-year-old children and pre-teens.


Aquest apunt en català / Esta entrada en español / Post en français


El Salvador continues its precarious battle against the gangs

362.- baixaIn the midst of the COVID-19 pandemic, images of thousands of gang members stacked together by the government of El Salvador were broadcast around the world.

The country continues to be entrenched in its own war against gang members, especially those from the Mara Salvatrucha and 18 gangs. According to Osiris Luna, Deputy Minister of Security and the Director of Prisons, the State’s decision to integrate and confine members of the different criminal structures to the same cells is intended to create a shock effect among the gangs.

For two decades, incumbent governments have resorted to the prisons in an effort to give the appearance of winning the battle against gang violence. Let’s not forget that, according to official estimates, there are an estimated 60,000 active gang members in a country of fewer than 7 million people.

Furthermore, in 2018, the prisons reported that 44% of the prison population were understood to belong to a gang, accounting for about 17,400 of the 39,300 people being held in the country’s jails.

Previously, the penitentiary system segregated the members of rival gangs, assigning exclusive prisons to each group.

The initiative, seen by the gangs as a victory over the system, was successful in curtailing the number of riots and murders occurring inside prisons. However, it also served to consolidate the power and internal organisation of the criminal structures.

In 2016, the previous government took the first steps towards changing the system, but under the Bukele Administration, the reforms have been accelerated.

The potential consequences of the new prison policies are unpredictable. But it should also be understood that gangs like Mara Salvatrucha or MS-13 are formed by a conglomerate of programs and cliques with operational autonomy and, although a general command does exist, they do not always follow the same orders. In fact, there have been bloody disputes between members of the same gang. Nowadays, in El Salvador, talking about the MS-13 gang as a single homogeneous entity is somewhat misleading.

The other big gang, known as Barrio 18, also suffered internal conflicts in the middle of the last decade and split into two halves: the Sureños and the Revolucionarios.

Other smaller gangs include La Mirada, Locos 13 and Mao-Mao, which currently have about 300 of their active members imprisoned.

Another front to highlight is the so-called retirees; gang members who have left MS-13 or 18, mainly due to internal conflicts.

Although they are no longer considered to be gang members, there are around 3,000 of them in El Salvador’s prisons. And in 2004, they were allocated an exclusive prison facility in the city of Sonsonate.




Aquest apunt en català / Esta entrada en español / Post en français