As I do every morning, I came to my company and found that it no longer existed.” That was a sentence from a managing director that stuck with me. It shows how devastating the effects of a cyber attack can be. This is the bitter balance that my team and I unfortunately have to face again and again and more and more frequently after attacks on companies, authorities, schools, universities, publishers or the small local craftsmen.
These cyber attacks usually come out of nowhere, often hitting the victims deep in the bone, healthy companies are on the brink of collapse. Just recently, a clinic in the United States went bankrupt after an attack. It did not survive this attack economically. The result is helplessness in all areas of the company and at all levels of the company. It does something to people. It does something to the managers who suddenly have nothing left to manage. But also with the employees who are suddenly afraid of losing their jobs. Exactly that is one of the reasons for declaring war on these serious criminals.
They are internationally organized, well networked, unscrupulous, we call it money driven. It’s usually about ransom, a lot of money. Often without any taboo. The problem has a name: “Cybercrime as a Service”. These cybercriminals are committed to efficiency and effectiveness, allowing for global attacks in minutes, almost seconds.
It is currently assumed that a medium to heavy attack takes place every 30 seconds. My team and I first encountered such a cybercrime-as-a-service platform at the end of 2019. The platform has offered, and indeed delivered, absolute anonymity in the international cyber community for years. To allow cybercriminals worldwide to hide themselves.
international network
The starting point for the investigation was an attack against a medium-sized company in southern Germany. We also looked at this international network and platform from the inside for several months and destroyed it as part of an internationally coordinated takedown. The data backed up at that time is still a goldmine for us, it helps with investigations worldwide.
Most importantly, we were able to warn more than 250 companies worldwide in good time, sometimes very briefly, and to protect them from significant financial damage. We have certainly prevented billions in damage, and probably also saved one or the other job.
Daniel Lorch is Chief Inspector and Cybercrime Expert at the Reutlingen Police Headquarters
What: Pascal Rohé
This type of robust law enforcement requires a very large international network and, above all, courageous actors. According to our slogan share and care, we want to share and we want to care, we are part of this international coalition. We work closely with the State Criminal Police Offices and the Federal Criminal Police Office together. Also on an international level with Europol. As a central platform and coordinator of international meetings, it has great expertise.
Don’t forget the judiciary. Here, too, it is extremely important that the highly specialized lawyers have their contact persons in the cybercrime special departments of the federal states or locally in the local public prosecutor’s offices and network internationally. Cybercrime is very international, and so must law enforcement. Only with this large international network was it possible to successfully destroy the ransomware and crime-as-a-service group.
Multiple blackmail
Why the focus on this grouping? She had been noticed since mid-2021 in the area of double, triple or even quadruple extortion as well as data exfiltration, data theft and data encryption. That made her different from others. With a focus on medical care, they had an incredible number of victims. They have attacked many companies in the medical field. Clinics, which was taboo for other hackers, but also associations of statutory health insurance physicians were the target worldwide.
They did significant damage and were very efficient, very successful. This crime-as-a-service network worked very well. 100 million euros ransom in twelve months is a remarkable balance sheet. Since human lives were in danger, we in Esslingen decided, at the request of the BKA, to throw ourselves into the central investigation for all of Germany, to bundle everything in charge and to declare war on this network.
How does such an attack work? Unfortunately, it is a division of labour. Everyone does what they do best. Burglary, conquering of the infrastructure, theft of highly sensitive data and in the end often encryption and blackmail. Together with our international partners we have spent six months in the network of these groups. We hacked the hackers.
We learned a lot about the group and the players. We were able to give the decryption keys to hundreds of companies worldwide during those six months because of course we had access to them. We have always been guided by a multi-phase model and agreed very early on that we would destroy this grouping very quickly. “Stop the bleeding” was the motto given and also the goal.
Final Destruction
We wanted to quickly weaken this grouping so decisively that continued operation is no longer possible. This very takedown was performed on January 26th. The goals: final destruction of the infrastructure, but above all the destruction of the reputation of this group and the shaking of the trust model. We wanted to get to the bottom, to the root of this problem. That worked relatively well. A great success even for small departments.
What should I do? “Be prepared” is the motto. It’s not a question of if it hits her, just a question of when. We are not completely at the mercy of this issue. There are excellent ways to protect yourself. If IT has enough resources and does its homework, you are in a very good position to fend off attacks.
Because the reality is: Only things that are not adequately protected can be stolen. Hardly anyone is caught unprepared, but many things are not thought through to the end, not brought to an end. The projects are still being implemented. Only an intelligent and specifically coordinated approach makes it more difficult for the attackers. We have seen them capitulate and move on multiple times. Therefore, as a goal and conclusion: network with each other, prepare yourself, also see who you call in case of doubt.
The central contact points for cybercrime are in every federal state, at the state criminal investigation offices. Consistently report attacks to the police, and don’t carelessly pay a ransom. It doesn’t fix your problem, and it also doubles the chance that you’ll be attacked again. Because if you pay once, you will definitely pay a second time.