Cyber extortion up by 45 percent, investigative efforts intensify
Investigative agencies are going after cybercriminals more frequently and more effectively than ever before. Whereas large organizations used to be the primary targets, smaller and medium-sized organizations are now being targeted more often. Reporting incidents promptly is crucial for a successful outcome; however, this often does not happen. This is indicated by an analysis of over 400 actions against cybercrime by Orange Cyberdefense.
In response to the growing number of extortion cases, the number of international investigations is increasing. Orange Cyberdefense, which has been mapping global investigations into cybercrime since 2021, collected more than 500 cases, of which 418 were investigated in detail. Investigative services are disrupting criminal networks more often and shutting them down more quickly.
International cooperation is playing an increasingly important role here. Investigative agencies are conducting more joint operations than a few years ago, according to Paul-Alexandre Gillot, coordinator of the Joint Cybercrime Action Taskforce at Europol, during a recent webinar on the subject.
These joint operations focus not only on individual perpetrators, but also on the platforms, hosting services, and money flows that enable cybercrime. Such investigations often take several years and yield information that is used in several countries simultaneously.
Even amid geopolitical tensions, this cooperation remains intact, Gillot emphasizes. Investigative agencies within and outside the EU continue to share information to tackle criminal networks.
Because extortion is the main revenue model for cybercriminals, investigative agencies give this a high priority. Increasingly, there is a professional ecosystem of developers, affiliates, and service providers behind ransomware as a service. Investigations, therefore, also focus on the platforms, malware providers, forums, hosting services, and crypto platforms that enable this model.
In this way, authorities increase the risk for criminals. They seize infrastructure and communicate about their actions. In doing so, they sow distrust within criminal networks. Researchers have observed that groups are disappearing, renaming themselves, or disbanding more quickly as a result.
According to Diana Selck-Paulsson, Lead Security Researcher at Orange Cyberdefense, this approach also has a preventive effect. The dismantling of infrastructure and open communication about it lead to doubt among criminals, who trust each other less.
Unfortunately, many organizations do not report cyber incidents to the authorities, or do so only at a late stage. This hinders investigations and gives criminals more time. New regulations enable Europol receive information directly from private parties, for example via the Cyber Intelligence Gateway mechanism. This enables investigators to link data from a single incident more quickly to ongoing investigations in multiple countries. International task forces thus increase their effectiveness and share information without detours via national links.
Dutch public and private parties share threat information via the NCTV's Cyclotron program.
“Many operations against cybercrime start with a single victim reporting the crime. Without reporting, crucial clues remain within a single organization, and criminal infrastructures can continue to operate for longer. Those who remain silent slow down the investigation,” says Matthijs van der Wel-ter Weel, Strategic Advisor at Orange Cyberdefense.
“Agencies such as Europol build up files over several years. An indicator from a single incident may seem small, but when combined with other reports, it can be exactly the piece of the puzzle that leads to the dismantling of a network.”
