Law enforcement and IT security companies join forces to fight ransomware
From right to left: Jornt van der Wiel, Kaspersky Lab; Steve Wilson, EC3; Raj Samani, Intel Security; Wilbert Paulissen, Dutch Police
The Dutch National Police, Europol, Intel Security and Kaspersky Lab have joined forces to launch an initiative called No More Ransom, to spread the word about the threat of ransomware.
No More Ransom is a new online portal designed to inform the public about the dangers of ransomware and help victims recover their data without having to pay money to cyber-criminals.
Ransomware is claiming victims at at an alarming rate: according to Kaspersky Lab, the number of users attacked by crypto-ransomware rose by 550 percent, from 131,000 in 2014-2015 to 718,000 in 2015-2016.
It's become a top priority for EU law enforcement: almost two-thirds of EU Member States are conducting investigations into this kind of malware.
Wilbert Paulissen, Director of the National Criminal Investigation Division of National Police of the Netherlands commented to SCMagazineUK.com by email: “We, the Dutch police, cannot fight against cybercrime and ransomware in particular, alone. This is a joint responsibility of the police, the justice department, Europol, and ICT companies, and requires a joint effort. This is why I am very happy about the police's collaboration with Intel Security and Kaspersky Lab. Together we will do everything in our power to disturb criminals' money making schemes and return files to their rightful owners without the latter having to pay loads of money.”
The project has been envisioned as a non-commercial initiative aimed at bringing public and private institutions under the same umbrella. Due to the changing nature of ransomware, with cybercriminals developing new variants on a regular basis, this portal is open to new partners' cooperation.
The first big step taken in this initiative is that it teaches victims of ransomware how to to report an infection, which is directly connecting with Europol's overview of national reporting mechanisms. Reporting ransomware to law enforcement is important to help authorities get an overall clearer picture and a greater capacity to mitigate the threat.
The online portal will educate users on how they can find information on what ransomware is, how it works and, most importantly, how to protect themselves.
The portal also provides users with tools that may help them recover their data once it has been locked away by criminals. In its initial stage, the portal contained four decryption tools for different types of malware, the latest developed in June 2016 for the Shade variant.
By working closely together and sharing information between different parties, the Shade command and control server used by criminals to store keys for decryption was seized, and the keys were shared with Kaspersky Lab and Intel Security.
That helped to create a tool which victims can download from the No More Ransom portal to retrieve their data without paying the criminals. The tool contains more than 160.000 keys.
Jornt van der Wiel, Security Researcher at Global Research and Analysis Team, Kaspersky Lab commented to SC by email: “The biggest problem with crypto-ransomware today is that when users have precious data locked down, they readily pay criminals to get it back. That boosts the underground economy, and we are facing an increase in the number of new players and the number of attacks as a result.”
Ven der Wiel added: “We can only change the situation if we coordinate our efforts to fight against ransomware. The appearance of decryption tools is just the first step on this road. We expect this project to be extended, and soon there will be many more companies and law enforcement agencies from other countries and regions fighting ransomware together.”
Raj Samani, EMEA CTO for Intel Security commented to SC by email: “This initiative shows the value of public-private cooperation in taking serious action in the fight against cybercrime.”
Samani explained: “This collaboration goes beyond intelligence sharing, consumer education, and takedowns to actually help repair the damage inflicted upon victims. By restoring access to their systems, we empower users by showing them they can take action and avoid rewarding criminals with a ransom payment.”
The announcement of No More Ransom comes just as Europol's European Union Internet Referral Unit (EU IRU) celebrates its first birthday.
The EU IRU was set up by the Justice and Home Affairs Council of the EU and is built upon Europol's Check-the-Web service. Its main role is to anticipate and preempt terrorist abuse of online tools, as well as to play a proactive advisory role via each EU Member States and the private sector in this regard.
The unit also provided operational support to 44 investigations across the EU, delivering 82 operational products and deploying 4 Europol staff on-the-spot (3 during the terrorist attacks carried out in Paris late last year and 1 to support French authorities during the European Football Championship EURO 2016).
Since its conception, it has assessed and processed for the purpose of referral towards concerned internet service providers over 11,000 messages across some 31 online platforms in 8 languages. The content had been put out by criminals to spread violent extremist material.
91.4 percent of the total content has been successfully removed from the platforms by the social media and online service providers.
Rob Wainwright, Director of Europol commented by email to SC: “EU IRU has proven to be a successful concept aimed at reducing terrorist and extremist online propaganda. The constructive partnership with relevant social media and private companies has helped Europol deliver a strong response to this problem affecting the safety and liberty of the Internet”.