INTERNET ORGANISED CRIME THREAT ASSESSMENT INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2018
© European Union Agency for Law Enforcement Cooperation 2018.
Reproduction is authorised provided the source is acknowledged. For any use or reproduction of individual photos, permission must be sought directly from the copyright holders.This publication and more information on Europol are available on the Internet. ISBN 978-92-95200-94-4 www.europol.europa.eu ISSN 2363-1627 DOI 10.2813/858843 QL-AL-18-001-EN-N contents
foreword 04 abbreviations 05 executive summary 06
1 / key findings 09 6 / crime priority: payment fraud 6.1. Key findings 40 2 / recommendations 11 6.2. Card-present fraud 40 6.3. Card-not-present fraud 43 3 / introduction 14 6.4. Other categories of payment fraud 44 6.5. Future threats and developments 45 6.6. Recommendations 45 4 / crime priority: cyber-dependent crime
4.1. Key findings 16 7 / crime priority: online criminal markets 4.2. Malware 16 7.1. Key findings 47 4.3. Attacks on critical infrastructure 21 7.2. Darknet markets 47 4.4. Data breaches and network attacks 22 7.3. Future threats and developments 50 4.5. Future threats and developments 26 7.4. Recommendations 50 4.6. Recommendations 29 8 / the convergence of cyber and terrorism 8.1. Key findings 52 5 / crime priority: 8.2. The use of the internet by terrorist groups 52 child sexual exploitation online 8.3. Recommendations 53
5.1. Key findings 31 9 / cross-cutting crime factors 5.2. The availability and online distribution of 9.1. Key findings 55 CSEM 33 9.2. Social engineering 55 5.3. The online organisation of offenders 34 9.3. Criminal finances 57 5.4. Online sexual coercion and extortion 35 9.4. Common challenges for law enforcement 60 5.5. Live streaming of child sexual abuse 33 9.5. Future threats and developments 61 5.6. Future threats and developments 37 9.6. Recommendations 64 5.7. Recommendations 38 10 / the geographic distribution of cybercrime 10.1. The Americas 66
10.2. Europe 67 10.3. The Middle East and Africa 67 10.4. Asia 68 10.5. Oceania 68
references 69 internet organised crime threat assessment IOCTA 2018 4
foreword
It is my pleasure to introduce the 2018 Internet Organised Crime Threat Assessment (IOCTA), which has been and continues to be one of the flagship strategic products for Europol. It provides a unique law enforcement focused assessment of the emerging threats and key developments in the field of cybercrime over the last year. This is of course only possible thanks to the invaluable contributions from European law enforcement and the ongoing support we receive from our partners in private industry, the financial sector and academia.
Each year the report highlights cyber-attacks of an unprecedented scope and scale. This year is no different, demonstrating the continuing need for greater cooperation and collaboration within our law enforcement community, an ethos at the very heart of Europol’s mission. The report also brings to our attention previously underestimated threats, such as telecommunication frauds, demonstrating the necessity for law enforcement to constantly adapt and develop and the need for continued training in all aspects of cybercrime. This report embodies Europol’s keywords: trust, sharing and cooperation.
While some cyber-attacks continue to grab headlines with their magnitude, other areas of cybercrime are no Only if law enforcement, the private less of a threat or concern. sector and the academic world work Payment fraud continues to together closely, can cybercrime be emphasise criminal gains combated effectively. and the facilitation of other crimes, as well as significant financial losses for citizens and financial institutions alike. Online child sexual exploitation epitomises the worst aspects of the internet and highlights the ever present danger to our children from those who would seek to exploit or abuse them. The fight against this heinous crime must continue unabated. After all, every child, wherever they are in the world, has the right to grow up in a safe environment.
This year’s report also describes a number of key legislative and technological developments, such as the introduction of the General Data Protection Regulation (GDPR), the Network and Information Security (NIS) directive and 5G technology. While these developments are positive, all will in some way impact on our ability as law enforcement officers to effectively investigate cybercrime. This emphasises the need for law enforcement to engage with policy makers, legislators and industry, in order to have a voice in how our society develops.
The IOCTA also celebrates the many successes of law enforcement in the fight against cybercrime. As long as European Union law enforcement continues to grow and evolve and to forge new bonds with global partners in both the public and private sector, I am confident that we can continue to report such successes for years to come.
Catherine De Bolle Executive Director of Europol abbreviations abbreviations Numbers ICANN I2P HTTPS gTLD Association GSMA GPS GDPR GAAD FBI FSAG EUCTF EPT EPC EK Information Security ENISA EMV Criminal Threats EMPACT EMMA Drug Addiction EMCDDA EC3 EBF DSP DPA DEA DDoS CTB CSIRT CSE CSEM CNP CERT CEO CAV ccTLD BEC ATM ASCS APWG APT AI ACS Artificial Intelligence Artificial ExploitKits UnitedStatesFederal Bureau ofInvestigation InvisibleInternetProject European Cybercrime Centre European BankingFederation Electronic Payment Terminal Curve-Tor-Bitcoin ChildSexualExploitation BusinessEmailCompromise Advanced Persistent Threat European Payment Council DataProtection Agency UnitedStatesDrugEnforcement Agency ChiefExecutive Officer CounterAnti-Virus Digital Service Providers DigitalService GlobalPositioning System Card-Not-Present Europay, MasterCard and Visa AutomatedTeller Machine Automated Card Shop GenericTop Level Domain ComputerEmergency ResponseTeam DistributedDenialofService (Europol) Group Advisory FinancialServices AustralianCyberSecurityCenter Global Airport ActionDays GlobalAirport GeneralDataProtection Regulation ChildSexualExploitationMaterial ComputerSecurityIncidentResponseTeam country codeTop country Level Domains GlobalSystemforMobileCommunications Anti-PhishingWorking Group European UnionAgencyforNetworkand European Money MuleActions European Cybercrime Task Force HyperText Transfer Protocol Secure Internet CorporationforAssigned Namesand European PlatformAgainst Multidisciplinary European MonitoringCentre forDrugsand Children NCMEC LDCA KYC J-CAT IWF IVTS ISP ISAG IS IRSF Coalition IPC³ IP IoT IOS IOCTA ICT ICS VPN URL TPP Tor Telecommunications SWIFT SSL SMS Application SIENA SGEM SEPA SCADA RIG EK RDP RAT RAMP PSD PoS PITA PBX P2P OSP OES OCG NSA NIS IslamicState Internet Protocol InternetofThings InformationandCommunicationsTechnology IndustrialControl Systems Internet Service Provider InternetService InOurSites NetworkandInformationSystems The OnionRouter InternetWatch Foundation Secure Sockets Layers Point ofSale RemoteAccessTrojan Third Provider Party Peer toPeer orPeople toPeople UniformResource Locator OperatorsofEssentialServices KnowYour Customer Private BranchExchange Payment Directive Services RemoteDesktopProtocols Online Service Providers OnlineService NationalSecurityAgency Organised CrimeGroup Virtual Private Virtual Network IntellectualProperty CrimeCoordinated Pacific Island Telecommunication Association InformalValue Transfer System Short MessageService Short InternationalRevenue Share Fraud (Europol) Group InternetSecurityAdvisory SingleEuro Payments Area Live DistantChildAbuse Self-GeneratedExplicitMaterial InternetOrganised CrimeThreat Assessment JointCybercrime ActionTaskforce Secure InformationExchange Network SocietyforWorldwide InterbankFinancial Russian AnonymousMarketplace Supervisory control anddataacquisition Supervisory NationalCenterforMissingandExploited IOCTA 2018 ExploitKit 5 executive summary IOCTA 2018 6
executive summary
For the fifth year in a row, Europol has Many areas of the report therefore build upon produced the Internet Organised Crime previous editions, which emphasises the
Threat Assessment (IOCTA). The aim of this longevity of the many facets of cybercrime. It is
Assessment is to provide a comprehensive also a testimony to an established cybercrime overview of the current, as well as anticipated business model, where there is no need to future threats and trends of crimes conducted change a successful modus operandi. The and/or facilitated online. While current events report also highlights the many challenges demonstrate how cybercrime continues to associated with the fight against cybercrime, evolve, this year’s IOCTA shows us how law both from a law enforcement and, where enforcement has to battle both innovative applicable, a private sector perspective. as well as persistent forms of cybercrime. executive summary IOCTA 2018 7
Ransomware retains its dominance Production of CSEM continues Even though the growth of ransomware is beginning to slow, The amount of detected online Child Sexual Exploitation ransomware is still overtaking banking Trojans in financially- Material (CSEM), including Self-Generated Explicit Material motivated malware attacks, a trend anticipated to continue (SGEM), continues to increase. Although most CSEM is over the following years. In addition to attacks by financially still shared through P2P platforms, more extreme material motivated criminals, a significant volume of public reporting is increasingly found on the Darknet. Meanwhile, Live increasingly attributes global cyber-attacks to the actions Distant Child Abuse (LDCA), facilitated by growing internet of nation states. Mobile malware has not been extensively connectivity worldwide, continues to be a particularly reported in 2017, but this has been identified as an complex form of online CSE to investigate due to the anticipated future threat for private and public entities alike. technologies and jurisdictions involved.
Illegal acquisition of data following data breaches is a As increasing numbers of young children have access to prominent threat. Criminals often use the obtained data to internet and social media platforms, the risk of online sexual facilitate further criminal activity. In 2017, the biggest data coercion and extortion continues to rise. The popularity breach concerned Equifax, affecting more than 100 million of social media applications with embedded streaming credit users worldwide. With the EU GDPR coming into effect possibilities has resulted in a significant increase in the in May 2018, the reporting of data breaches is now a legal amount of SGEM live streamed on these platforms. requirement across the EU, bringing with it hefty fines and new threats and challenges.
Card-not-present fraud DDoS continues to plague public dominates payment fraud but and private organisations skimming continues Criminals continue to use Distributed-Denial-of-Service Skimming remains a common issue in most of the EU (DDoS) attacks as a tool against private business and the Member States. However, as in previous years, this public sector. Such attacks are used not only for financial continues to decrease as a result of geoblocking measures. gains but for ideological, political or purely malicious reason. Skimmed card data is often sold via the Darknet and cashed This type of attack is not only one of the most frequent out in areas where Europay, MasterCard and Visa (EMV) (second only to malware in 2017); it is also becoming more implementation is either slow or non-existent. accessible, low-cost and low-risk. Toll fraud has received a considerable amount of attention this year, with criminal groups using counterfeit fuel and credit/debit cards to avoid paying toll fees. Many Member States also reported an increase in the creation of fake companies to access and abuse Points of Sale (PoS), as well as profit from compromised information. Meanwhile, card- not-present fraud continues to be a key threat for EU Member States, with the transport and retail sectors highlighted as key targets within the EU. executive summary IOCTA 2018 8
As criminal abuse of Social engineering still the cryptocurrencies grows, currency engine of many cybercrimes users and exchangers become The significance of social engineering for cyber-dependent and cyber-enabled crime continues to grow. Phishing via targets email remains the most frequent form of social engineering, Previous reports indicated that criminals increasingly abuse with vishing (via telephone) and smishing (via SMS) less cryptocurrencies to fund criminal activities. While Bitcoin has common. Criminals use social engineering to achieve a lost its majority of the overall cryptocurrency market share, range of goals: to obtain personal data, hijack accounts, it still remains the primary cryptocurrency encountered steal identities, initiate illegitimate payments, or convince the by law enforcement. In a trend mirroring attacks on banks victim to proceed with any other activity against their self- and their customers, cryptocurrency users and facilitators interest, such as transferring money or sharing personal data. have become victims of cybercrimes themselves. Currency exchangers, mining services and other wallet holders are facing hacking attempts as well as extortion of personal data and theft. Money launderers have evolved to use cryptocurrencies in their operations and are increasingly facilitated by new developments such as decentralised exchanges which allow exchanges without any Know Your Customer requirements. It is likely that high-privacy cryptocurrencies will make the current mixing services and tumblers obsolete.
Cryptojacking: a new cybercrime Shutters close on major Darknet trend markets, but business continues Cryptojacking is an emerging cybercrime trend, referring to The Darknet will continue to facilitate online criminal markets, the exploitation of internet users’ bandwidth and processing where criminals sell illicit products in order to engage in other power to mine cryptocurrencies. While it is not illegal in some criminal activity or avoid surface net traceability. In 2017, law cases, it nonetheless creates additional revenue streams and enforcement agencies shut down three of the largest Darknet therefore motivation for attackers to hack legitimate websites markets: AlphaBay, Hansa and RAMP. These takedowns to exploit their visitor’s systems. Actual cryptomining prompted the migration of users towards existing or newly- malware works to the same effect, but can cripple a victims established markets, or to other platforms entirely, such as system by monopolising their processing power. encrypted communications apps.
Although cybercrime continues to be a major threat to the EU, last year again saw some remarkable law enforcement success. Cooperation between law enforcement agencies, private industry, the financial sector and academia is a key element of this success. key findings IOCTA 2018 9
01_ key findings
Cyber-dependent ›› Ransomware remains the key malware threat in both law crime enforcement and industry reporting. ›› Cryptomining malware is expected to become a regular, low-risk revenue stream for cybercriminals. ›› The use of exploit kits (EKs) as a means of infection continues to decline, with spam, social engineering and newer methods such as Remote Desktop Protocol (RDP) brute-forcing coming to the fore. ›› New legislation relating to data breaches will likely lead to greater reporting of breaches to law enforcement and increasing cases of cyber-extortion.
Child sexual ›› The amount of detected online Child Sexual Exploitation Material continues to grow, creating serious challenges for investigations exploitation online and victim identification efforts. ›› As technologies are becoming easier to access and use, the use of anonymisation and encryption tools by offenders to avoid law enforcement detection is more and more common. ›› Children increasingly have access to the internet and social media platforms at a younger age, resulting in a growing number of cases of online sexual coercion and extortion of minors. ›› Live streaming of child sexual abuse remains a particularly complex crime to investigate. Streaming of self-generated material has significantly increased.
Payment fraud ›› The threat from skimming continues and shall do as long as payment cards with magnetic stripes continue to be used. ›› The abuse of PoS terminals is taking on new forms: from manipulation of devices to the fraudulent acquisition of new terminals. ›› Telecommunications fraud is a well-established crime but a new challenge for law enforcement. key findings IOCTA 2018 10
›› The Darknet market ecosystem is extremely unstable. While law Online criminal enforcement shut down three major marketplaces in 2017, at markets least nine more closed either spontaneously or as a result of their administrators absconding with the market’s stored funds. ›› The almost inevitable closure of large, global Darknet marketplaces has led to an increase in the number of smaller vendor shops and secondary markets catering to specific language groups or nationalities.
›› Islamic State (IS) continues to use the internet to spread The convergence propaganda and to inspire acts of terrorism. of cyber and ›› Law enforcement and industry action has pushed IS sympathisers terrorism into using encrypted messaging apps which offer private and closed chat groups, the dark web, or other platforms which are less able or willing to disrupt their activity. ›› While IS sympathisers have demonstrated their willingness to buy cyber-attack tools and services from the digital underground, their own internal capability appears limited.
›› West African and other fraudsters have evolved to adopt emerging Cross-cutting fraud techniques, including those with more sophisticated, crime factors technical aspects, such as business email compromise. ›› Phishing continues to increase and remains the primary form of social engineering. Although only a small proportion of victims click on the bait, one successful attempt can be enough to compromise a whole organisation. ›› Many of the classic scams, such as technical support scams, advanced fee fraud and romance scams still result in a considerable numbers of victims. ›› Cyber-attacks which historically targeted traditional financial instruments are now targeting businesses and users of cryptocurrencies. ›› While Bitcoin’s share of the cryptocurrency market is shrinking, it still remains the predominant cryptocurrency encountered in cybercrime investigations. ›› A combination of legislative and technological developments, such as 5G and the redaction of WHOIS, will significantly inhibit the attribution and location of suspects for law enforcements and security researchers. recommendations IOCTA 2018 11
2_recommen- dations
Cooperation Law enforcement in each Member Cyber-dependent State should identify what crime The combination of factors behind implication the NIS directive will have the WannaCry and NotPetya attacks in their country and plan accordingly, of mid-2017 have taken malware as it may result in a substantial attacks to a level where they can be increase in the reporting of network an impossible challenge for national attacks. law enforcement agencies to handle alone. This calls for greater and Investigation enhanced cooperation between international law enforcement To cope with a predicted growth agencies, private sector companies, cyber-attacks which are challenging academia and other appropriate in terms of both investigation and stakeholders. forensics, such as the use of fileless malware, law enforcement requires Moreover, the initial uncertainty additional training, investigative and regarding the actors and motivations forensic resources in order to deal with behind any particular cyber-attack increasingly complex and sophisticated calls for increased cooperation cybercrime cases. between the law enforcement, the CSIRT community and intelligence Law enforcement must continue to services. explore the investigative, analytic and policing opportunities arising Cryptomining attacks may have from emerging technologies, such as minimal impact on their victims, artificial intelligence (AI) and machine resulting in few complaints made to learning. Such tools will become law enforcement. Those which are invaluable for dealing with modern reported may also not be given a crime and for intelligence led policing. high priority. It is therefore essential that law enforcement works with the The growing number of affiliate internet security industry to curtail programmes and as-a-service cyber- this activity and restrict this source attacks (ransomware, DDoS, etc.) of criminal revenue. creates easy access to potentially highly-impactful cyber-attack tools to Cybercrime reporting anyone who desires them. Therefore, law enforcement should focus on Awareness campaigns to highlight targeting cybercriminals offering the range of cybercrime threats and cyber-attack services or products, how to respond to them can be used in order to make it harder for low- to increase public knowledge and level cybercriminals to carry attacks perception and lead to more and disproportionate to their skills. more accurate cybercrime reporting. recommendations IOCTA 2018 12
Cooperation successful in limiting the use of their Child sexual services to pay for child sexual abuse exploitation online Tackling online CSE requires and exploitation. Such approaches cooperation with the private should be expanded to other sector, civil society and academia. commonly used payments methods. Cooperation with the private sector – in particular internet service Investigation providers – can help to limit access For an effective use of limited to online CSEM and to divert potential resources, investigations into online offenders from consuming CSEM CSE should be aimed at high-value to seeking help with their sexual targets, such as administrators of preferences. large online forums who promote Alternative responses to the threat operational security. Europol should of CSE are crucial to effectively assist Member States and third tackle this issue. One alternative partners in the identification of such method would be to provide support key individuals. to persons with a sexual interest in children who have the capacity Prevention and awareness to control their tendency to offend. Education initiatives and An initiative in this regard is the standardised EU-wide prevention website helplinks.eu, which provides and awareness campaigns – such a collection of links for help and as Europol’s Say No Campaign – are prevention in countries worldwide. of crucial importance in reducing the It is crucial that law enforcement risk of children falling victim to online continue to work together with solicitation or sexual coercion and payment companies to limit the extortion. Such initiatives should look ability for online CSEM, especially to include younger children. live-distant child abuse (LDCA). An example of such efforts is the European Financial Coalition against Commercial Sexual Exploitation of Children Online (EFC). Several major credit card companies have been
While not a new threat, and European Money Mule Actions Payment fraud telecommunications fraud may (EMMA) all rely on close cooperation represent a new crime area for and collaboration between law many law enforcement agencies. enforcement and the private sector Investigating these crimes will and the increasing numbers of require additional training and participants only adds to their close collaboration with the success. telecommunication industry. Despite the likelihood that further Law enforcement and private EMV adoption will result in the industry should seek to engage in the transference of more card fraud to growing number of join action days CNP, implementation of EMV should successfully tackling fraud involving continue. non-cash payments. Global Airline Action Days, e-Commerce Actions recommendations IOCTA 2018 13
Criminality on the dark web spans additional capacity building and Online criminal multiple areas and involves a wide training of officers not involved in range of criminal commodities. computer crime. markets An effective countermeasure There is a need for an international will therefore require a suitably strategy to address the abuse of coordinated, cross-cutting response, the dark web and other emerging involving investigators with equally platforms for illicit trade. diverse expertise. This will require
Terrorist groups continue to operations. This will require closer The convergence of abuse online platforms and social coordination and information- cyber and terrorism networking tools, distributing sharing across law enforcement propaganda material in their efforts agencies and enhanced to recruit, fundraise and organise cooperation from the private attacks. In doing so, they make use of sector. In particular, Online Service legitimate services (e.g. purchasing Providers (OSPs) should develop hosting services and downloading their own capacity and share best available social media platforms) practises amongst themselves in and continue to innovate in their bid order to restrict access to hateful to evade detection, develop their and dangerous messages. technical capabilities and raise funds › The second must focus on the via cryptocurrencies. › groups’ ability to carry out cyber- While it is impossible to completely attacks. eradicate terrorist propaganda from The two strategies reinforce each the internet, it is possible to minimise other: disrupting propaganda will its impact. With this in mind, two hinder terrorists’ access to human separate but interlinked strategies expertise, funding and cyber tools; should be deployed: similarly thwarting cyber-attacks will ›› The first focus should be on help limit the groups’ attractiveness countering terrorist groups’ online to potential recruits. propaganda and recruitment
The most effective defence against on how users of cryptocurrencies can Cross-cutting crime social engineering is the education of protect their data and wallets. potential victims. Law enforcement factors Investigators should identify and should therefore continue to support build trust relationships with any prevention and awareness campaigns cryptocurrency related businesses aimed at raising awareness in relation operating in their jurisdiction, such to these threats. as exchangers, mining pools or wallet Many social engineering scams operators. targeting EU citizens are carried out Member States should increasingly by West African organised crime invest or participate in appropriate groups (OCGs). Tackling this threat specialist training and investigative requires stronger cooperation with tools in order to grow their capacity West African states, including to effectively tackle issues raised capacity building and training of law by cryptocurrencies during enforcement officers. investigations. Investigating Prevention and awareness campaigns cryptocurrencies must become a core should be tailored to include advice skill for cybercrime investigators. introduction IOCTA 2018 14
3_introduction
The Internet Organised Crime Scope Threat Assessment (IOCTA) The 2018 IOCTA focuses on the trends and developments pertinent aims to inform decision- to the above-mentioned priority crime areas. In addition to this, the report will discuss other cross-cutting factors that influence or impact makers at strategic, policy the cybercrime ecosystem, such as criminal use of the Darknet and and tactical levels in the fight social engineering. The report will also examine some of the common against cybercrime, with a view challenges to law enforcement. to directing the operational This report provides an update on the latest trends and the current impact of cybercrime within Europe and the EU. Each chapter provides focus for EU law enforcement. a law enforcement centric view of the threats and developments within The 2018 IOCTA will contribute cybercrime, based predominantly on the experiences of cybercrime investigators and their operational counterparts from other sectors. to the setting of priorities for It draws on contributions from more strategic partners in private the 2019 EMPACT operational industry and academia to support or contrast this perspective. The action plan in the three sub- reports seeks to highlight future risks and emerging threats and provides recommendations to align and strengthen the joint efforts areas of the cybercrime of EU law enforcement and its partners in preventing and fighting priority: cyber-attacks, cybercrime. payment fraud and child sexual Methodology exploitation online, as well as The 2018 IOCTA was drafted by a team of Europol analysts and cross-cutting crime enablers. specialists drawing predominantly on contributions from Member States, the European Union Cybercrime Taskforce (EUCTF), Europol’s Analysis Projects Cyborg, Terminal and Twins and EC3’s Cyber Intelligence Team, via structured surveys and interviews. This has been enhanced with open source research and input from the private sector, namely EC3’s Advisory Groups on Financial Services, Internet Security and Communication Providers. These contributions have been essential to the production of the report. Acknowledgements Europol would like to extend thanks to all law enforcement and private sector partners who contributed to this report, in particular the European Banking Federation (EBF) and the EC3’s Academic Advisory Network. cyber-dependent crime IOCTA 2018 15
4_
CRIME PRIORITY cyber-dependent crime
Cyber-dependent crime can be defined as any crime that can only be committed using computers, computer networks or other forms of information communication technology (ICT). In essence, without the internet criminals could not commit these crimes1. It includes such activity as the creation and spread of malware, hacking to steal sensitive personal or industry data and denial of service attacks to cause financial and/or reputational damage. cyber-dependent crime IOCTA 2018 16
4.2 / Malware Brokers group in April 20175. Lastly, 4.1 / Key findings all incorporated some self-replicating Ransomware dominates worm functionality, which accounted for the speed and spread of the Ransomware remains reporting across the board infections. the key malware threat in From law enforcement to media both law enforcement and and from the security industry to While there continues to be a global 2 coordinated response to these industry reporting. the financial sector , ransomware dominated reporting across the board specific attacks, European law throughout 2017. The WannaCry enforcement reports ransomware Cryptomining malware and NotPetya attacks of mid-2017 attacks from a wide range of other is expected to become a were of an unprecedented global ransomware families. The most commonly reported ransomware regular, low risk revenue scale, affecting an estimated 300 000 victims worldwide, in over families are Cerber, Cryptolocker, stream for cybercriminals. 150 countries, with the WannaCry Crysis, Curve-Tor-Bitcoin Locker (CTB- attacks alone estimated to have Locker), Dharma and Locky. With The use of exploit kits (EKs) cost global economies in the region the exception of Dharma, for which 3 decryption keys are now available6, as a means of infection of USD 4 billion . Within the EU, the attacks affected a wide range of key all of these were reported in previous continues to decline, with industries and critical infrastructures years. Member states reported a wide spam, social engineering including health services, range of other ransomware families, and newer methods such telecommunications, transport and but in fewer instances and dispersed as remote desktop protocol manufacturing industries. Later in across Europe. (RDP) brute-forcing coming the year, the Bad Rabbit ransomware Overall damages arising from to the fore. hit over 200 victims in Russia and ransomware attacks are difficult to Eastern Europe, again affecting calculate, although some estimates critical infrastructures such as suggest a global loss in excess of New legislation relating to healthcare, transport and financial USD 5 billion in 20177. In comparison, 4 data breaches will likely sectors . other reporting suggests that lead to greater reporting These attacks were notable for a over the past two years, 35 unique of breaches to law variety of reasons. Firstly, according ransomware strains have earned enforcement and increasing to public reports, their origins are cybercriminals USD 25 million, cases of cyber-extortion. strongly suspected to be the acts of with Locky and its many variants Advanced Persistent Threat (APT) accounting for more than 28% of groups associated with nation that figure8. This highlights the states and not financially motivated huge disparity between the losses criminals. All three attacks also to victims, compared to the actual leveraged one or more of the NSA criminal revenue generated. exploits leaked by the Shadow
In December 2017 Romanian Kingdom (UK). Each email had authorities arrested three an attachment, often in the form individuals suspected of infecting of an archived invoice, which computer systems by spreading contained a malicious file, which, the CTB-Locker ransomware. Two once opened on a Windows further suspects from the same system, would allow the malware criminal group were also arrested to encrypt files on the infected in Bucharest in a separate, device. parallel ransomware investigation The operation was supported linked to the US. by the Dutch National High-Tech The group spread the malware Crime Unit, the National Crime using spam drafted to look Agency in the UK, the FBI and like it was from well-known Europol’s EC3 and the Joint companies in countries like Italy, Cybercrime Action Taskforce the Netherlands and the United (J-CAT). cyber-dependent crime IOCTA 2018 17
WANNACRY Notable targets in the EU RUSSIA GERMANY Deut c e e o i i tr of ter l ff ir of t e u i e er tio u i il UNITED KINGDOM er