VPNLab.net Servers Seized: It Offered Services to Ransomware and Malware Groups

Law enforcement agencies in 10 countries have taken the services of VPNLab.net, a VPN service provider used by ransomware and malware groups, offline. The joint action was coordinated by Europol and took place on Monday January 17, involving police forces from Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, from Latvia, Ukraine, the United States and the United Kingdom.

In the operation were seized 15 servers used by VPNLab.net and the official site was taken offline, rendering the platform unavailable. VPN services are used by cyber criminals to conceal their identity, geographic origin and online activities by passing their traffic through various encrypted communication channels.

18122 vpnlab europol

Compared to typical commercial VPN services, which users typically use for security purposes, more abuse-prone solutions are typically slower and more complicated to use, as they use multiple layers of encryption and traffic “scrambling”. VPNLab.net has long been a renowned service for these features, active since 2008 and offering an offer based on OpenVPN technology and 2048-bit encryption, for a cost of only $60 per year. VPNLab.net servers have been located in different countries to provide relative geographic proximity to different threat actors around the world and to keep performance at acceptable levels.”

“Law enforcement became interested in the provider following numerous investigations that showed criminals were using the VPNLab.net service to facilitate illegal activities such as malware distribution. Other cases have shown the ‘use of the service in setting up the infrastructure for controlling and communicating ransomware campaigns, as well as for the actual distribution of ransomware’ said Europol.

Right now the owners of VPNLab.net have not yet been identified, but law enforcement says they now have valuable evidence on that front, following the seizure of the servers. The police will also take it upon themselves to examine the contents of the servers themselves, from which further details and information about ransomware groups and malicious clients of the VPN service may emerge.

A little over a year ago, in December 2020, Europol coordinated another police action which resulted in the release of two other VPN service providers: at the time it was the turn of Safe-Inet and Insorg VPNs, both of which are known to have been used by cybercriminals as well.