Over the last years, ransomware attacks have been confirmed as one of cybercrime’s main business models, pushing aside other well-established operating modes like phishing, online frauds, banking trojans, and distributed denial-of-service (DDoS) attacks.
When such an attack occurs, response time is critical and both security teams and law enforcement authorities, together with the individuals/companies targeted by the attack, must take immediate action. As time passes, more data/devices could be encrypted, driving up cost/damage and affecting more people/industry lines.
The response of the criminal justice authorities should be not only fast, but also informed and coordinated with the private sector and other international agencies/organizations that could provide assistance or operational support, as the international dimension is very common in these cases.
To this end, the joint project of the European Union and the Council of Europe – iPROCEEDS-2, in cooperation with the USA Embassy in Croatia addressed the issue of investigating ransomware attacks in Izmir, Turkiye, on 11 – 14 July 2022. Around 40 delegates, from 10 countries (Albania, Bosnia and Herzegovina, Montenegro, North Macedonia, Kosovo*, Serbia, Turkiye, Bulgaria, Croatia and Romania) benefited from this pilot exercise carried out for the first time at the Council of Europe.
The participants worked together to investigate a case simulation of ten victims that had been attacked by a ransomware criminal organization, using a well-known malware. Just like in real-life scenarios, some of the victims had paid the extortion demand using bitcoins, while others decided to report to the authorities that their servers had been compromised and they were asked for money to get the decryption key.
The exercise was designed to make participants more technically equipped to carry out such investigations, to share their own experiences in similar cases, to assimilate solutions and expertise that they can apply to a variety of investigations when they return to their offices. Also, the exercise aimed at improving interagency/international cooperation while investigating a ransomware attack, taking the necessary measures to secure and share electronic evidence, but also practical cross-cutting issues such as negotiating with the attackers.
The participants were divided into 5 teams composed of prosecutors, cybercrime investigators, digital forensics experts and CERTs representatives, with the prosecutors taking the lead and coordinating/monitoring/approving the action. Regardless of their technical level and previous experience, the delegates have acquired real knowledge and practical skills in undertaking blockchain investigations, sharing open-source intelligence, using online resources to identify digital wallets and searching/seizing criminal proceeds, that will be put to use in their future work.
iPROCEEDS-2 project webpage