Europol: the response to unprecedented cyber-attacks “not good enough”

The global scale, impact and rate of spread of cyber-attacks over the past year is unprecedented reports Europol's 2017 Internet Organised Crime Threat Assessment (IOCTA).

"The global impact of huge cyber-security events such as the WannaCry ransomware epidemic has taken the threat from cyber-crime to another level. Banks and other major businesses are now targeted on a scale not seen before and, while Europol and its partners in policing and Industry have enjoyed success in disrupting major criminal syndicates operating online, the collective response is still not good enough. In particular people and companies everywhere must do more to better protect themselves," says Europol's executive director Rob Wainwright.

Among key findings are that:

·  Ransomware has eclipsed most other cyber-threats globally in both the public and private sectors highlighting how connectivity, poor digital hygiene standards and security practices can allow such a threat to quickly spread and expand the attack vector.

·  The first serious attacks by botnets using infected insecure Internet of Things (IoT) devices occurred.

·  Data breaches have caused exposure of two billion records related to EU citizens reportedly leaked over a 12 month period.

·  The Darknet remains a key cross-cutting enabler for a variety of crime areas, from supply of illegal products to compromised payment data used to commit various types of payment and other fraud.

·  Offenders continue to abuse the Darknet and other online platforms to share and distribute child sexual abuse material, and coerce or sexually extort vulnerable minors.

·  Payment fraud affects almost all industries, having the greatest impact on the retail, airline and accommodation sectors as well as the facilitation of other crimes, including trafficking in human beings or drugs, and illegal immigration.

·  Direct attacks on bank networks to manipulate card balances, take control of ATMs or directly transfer funds, known as payment process compromise, represents one of the serious emerging threats in this area.

Julian King, EU Commissioner for the security union, said: “This report shows online crime is the new frontier of law enforcement. We've all seen the impact of events like WannaCry: whether attacks are carried out for financial or political reasons, we need to improve our resilience and ensure cyber-crime does not pay - last week the EU set out a package of concrete cybersecurity measures.” 

Dimitris Avramopoulos, EU Commissioner for Migration, Home Affairs and Citizenship, added: "Cross-border cyber-threats today threaten not only our citizens and our economies, but also our democracies themselves. Cybercrime has become increasingly instrumental in geopolitics and conflicts. With a new EU cyber-strategy, and a stronger role for European agencies, including ENISA and Europol, we will be better equipped to increase cyber-security collectively, in Europe and beyond."

Successes included the takedown of two of the largest Darknet markets, AlphaBay and Hansa, the dismantling of the Avalanche network, and two successful Global Airport Action Days targeting those travelling on fraudulently-purchased airline tickets.

Recommendations in the IOCTA include:

·  Law enforcement must continue to focus on the actors developing and providing the cybe-rcrime attack tools and services responsible for ransomware, banking trojans and other malware, and suppliers of DDOS attack tools, counter-anti-virus services and botnets.

·  The international law enforcement community must continue to build trusted relationships with public and private partners, CERT communities, etc, so that it is adequately prepared to provide a fast and coordinated response in case of a global cyber-attack.

·  Company employees and the general public need to be educated to recognise and respond accordingly to changing criminal tactics like social engineering and spam botnets. EU Member States should continue to support and expand their engagement with Europol in the development of pan-European prevention and awareness campaigns.

·  While investigating online child sexual exploitation, EU Member States should ensure sufficient investigative tools and resources to fight this crime. Joint high-quality and multilingual EU-wide prevention and awareness activity needs to be maintained.

·  Law enforcement needs to develop a globally coordinated strategic overview of the threat presented by the Darknet. Such analysis would allow for future coordination of global action to destabilise and close down criminal marketplaces. It is also essential that investigators responsible for all crime areas represented on Darknet markets have the knowledge, expertise and tools required to effectively investigate and act in this environment.

·  The growing threat of cybercrime requires dedicated legislation that enables law enforcement presence and action in an online environment. The lack of adapted legislation is leading to a loss of both investigative leads and the ability to effectively prosecute online criminal activity.

Simon Migliano, head of research at commented in an email to SC Media UK: “The message from Europol is clear: ransomware is a big money-spinner for criminals, who are growing ever more sophisticated. This should be a wake-up call to the whole nation. From the individual through to business and the public sector, we are all potential targets for ransomware attacks and have a part to play in thwarting cybercrime.


“What's worrying though is that our recent research revealed that over 62 percent of Britons didn't feel it was likely they would be attacked. Europol's report shows the danger of this complacency; ransomware is a disruptive threat that put lives at risk and costs the country money.


“Not only does there need to be greater investment in cyber-security and IT upgrades where necessary but ordinary people also must educate themselves about the simple steps they can take to keep themselves safe from this cybercrime wave.”


David Kennerley, director of Threat Research, Webroot also homed in the fact that ransomware continues to be one of biggest threats facing organisations today, commenting to SC Media UK: “Due to poor security practices and culture in many cases it is often seen to be cheaper to pay the ransom to get the data back, than rely on flaky internal recovery procedures. No matter how tempting it might be, if any other options exists, however challenging, companies should never negotiate or concede to criminal and pay the ransom.


“The danger with paying the ransom is there's no guarantee they'll recover the encrypted files, and by paying you are only fuelling the ransomware economy – and what now stops you being targeted again in future cyber-attacks?.  Also be aware that ransomware by its very nature is designed be annoying and loud, be mindful that there may also be secondary infections intent on staying hidden, looking to perform damage using other means – like data and password pilfering.


Simon Edwards, cyber security solution architect, Trend Micro, was interested in on how cyber hackers are increasingly operating like businesses, noting, “,,,they're increasingly assessing the risk for gaining particular pools of data, evaluating worth against the time spent to obtain it, and are now looking for buyers on the dark web before the attack is even in motion.


“The rise of ransomware attacks is testimony to the level of dexterity hackers today possess – they have a level of detail and process akin to running a global customer service centre! From tagging each infected device and the data obtained, tracking any ransom that has been paid, and decrypting data for recipients (that is, if they choose to do so), a ransomware attack is an incredibly complex operation that hackers don't enter in to lightly.


“In the cyber-underground, revenue will continue to be the number one motive. As hackers increase their profits – and their business acumen in the process – we'll only see the number of ransomware threats increasing.”


As a consequence, Steve Malone, director of security product management at Mimecast, observes:”It's clear that organiisations need more support and training fast. WannaCry was a wake-up for some but we're still not seeing these news threats taken seriously enough by others.


“Only by working together in homes, schools, businesses and the wider community can we begin to build cyber resilience into all the services upon which we rely.


“There is a prime opportunity for critical national infrastructure organizations to lead the way forward with the forthcoming NIS Directive in 2018. This EU-wide legislation needs to be harnessed quickly to foster a new culture of security for citizens.”


Another future threat area is IOT, with Kirill Kasavchenko, principal security technologist at Arbor Networks, emailing in to comment: “Botnets are a key enabler of these large-scale attacks, and the rise of IoT devices is making it increasingly difficult to mitigate against these threats. This report shows that businesses need to expect attacks, and must ensure they have enough defences in place to protect their assets, their customers and their employees. To stop criminals from seeing cybercrime as a lucrative source of income, there must be collaboration and intelligence sharing to ensure hackers are not able to hold organisations to ransom and disrupt critical industries.”


David Emm, principal security researcher, Kaspersky Lab concludes: “The threat continues to evolve, becoming stealthier and more destructive, increasingly targeting businesses more than individuals because the potential returns are much higher.” Consequently he reminds security professionals, “Last year, the No More Ransom Initiative was launched by the National Hi Tech Crime Unit of the Dutch Police, Europol, McAfee and Kaspersky Lab. Its decryption tools have managed to decrypt data on more than 28,000 devices and deprive cyber-criminals of an estimated £6.5 million in ransoms, which shows the scale of the ransomware landscape.”

Emm goes on to outline Kaspersky Lab's recommendations to deal with the threat from ransomware:


1.    Back up data regularly.

2.    Use a reliable security solution, and remember to keep key proactive detection features – such as System Watcher in Kaspersky Lab products – switched on.

3.    Always keep software updated on all the devices you use.

4.    Adopt good ‘housekeeping' practices to limit the ability of ransomware to spread and impact data.  These include segmenting the network, not automatically assigning admin rights to staff and restricting write access to data.

5.    IT security awareness for all staff is vital. Staff should be encouraged to adopt a security mindset – in particular, to exercise caution when opening –mail attachments or clicking on links.  Cyber-criminals often distribute crypto-malware via fake e-mail messages mimicking notifications from an online store or a bank, or imitate ordinary communications.

6.    If you are unlucky enough to fall victim to an encryptor, don't panic.

7.    Use a clean system to check the No More Ransom site, where you may find a decryption tool that can help you get your files back.

8.    Be very wary about paying the ransom.  You might not get your data back; and every payment the cyber-criminals receive validates their business model.

9.    Last, but not least, remember that ransomware is a criminal offence. Report it to your local law enforcement agency.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.