Law enforcement authorities took action against the criminal misuse of VPN services as they targeted the users and infrastructure of VPNLab.net. The VPN provider’s service, which aimed to offer shielded communications and internet access, was being used to support serious criminal acts such as ransomware deployment and other cybercrime activities. 


On January 17, disruptive actions took place in a coordinated manner in Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the United States and the United Kingdom. Law enforcement authorities have seized or disrupted the 15 servers that hosted VPNLab.net’s service, rendering it no longer available. Led by the Central Criminal Office of the Hannover Police Department in Germany, the action took place under the EMPACT security framework objective "Cybercrime —  Attacks Against Information Systems."


VPNLab.net was established in 2008, offering services based on OpenVPN technology and 2048-bit encryption to provide online anonymity for as little as $60 per year. The service also offered a double VPN, with servers located in many countries. This made VPNLab.net a popular choice for cybercriminals, who could use its services to carry on committing their crimes without fear of detection by authorities.


Law enforcement took an interest in the provider after multiple investigations uncovered criminals using the VPNLab.net service to facilitate illicit activities such as malware distribution. Other cases showed the service’s use in the setting up of infrastructure and communications behind ransomware campaigns and the actual deployment of ransomware. At the same time, investigators found the service advertised on the dark web itself.


As a result of the investigation, more than one hundred businesses have been identified as at risk of cyberattacks. Law enforcement is working directly with these potential victims to mitigate their exposure.


Neil Jones, Cybersecurity Evangelist, Egnyte, says, “It is a breath of fresh air to see that international law enforcement is focusing their efforts on technology providers that offer cyberattack-friendly environments and make it easy for ransomware as a service (RaaS) providers to perpetrate potential attacks. It is also a positive sign to see that the VPNLab operation spanned multiple European and North American countries because it is extremely easy for a cybercrime enterprise to wind down its operations in one country, only to reemerge in another country. In this particular case, dozens of companies may have thwarted cyberattacks. However, all organizations need to take the following steps to prevent potential ransomware attacks: 


1) Provide security awareness training to end-users, especially about the danger of phishing messages. 

2) Always utilize Multi-Factor Authentication (MFA). 

3) Restrict users’ file access, based on their “Business Need to Know.” 

4) Evaluate ransomware detection technology. 


Most importantly, if a technology solution has a price that’s too good to be true, evaluate it carefully before putting it into production at your organization,” Jones says.


Steve Moore, chief security strategist, Exabeam, explains, “Twelve international organizations were involved in this specific action, and it took 60 meetings to pull off. While we don’t know, it’s possible this VPN platform was used in recent attacks beyond ransomware. In parallel, the FSB claims they have arrested several members of the REvil ransomware gang: 25 homes owned by 14 members in several Russian cities. What does this mean for the corporate defender? You might have felt alone for many years, and you probably still do — however, relationships matter more than ever. Major attacks require the engagement of law enforcement by defenders. Security teams need to educate their leadership on what this means, specifically as it affects the response timeline. Waiting for a more extensive and timed global action can mean a greater good — in short, patience.”