Lurking on a server, malicious software that will encrypt any data, unless data security experts find and eliminate it in time. A race against time - in different time zones around the world. In the middle of it all: an investigator from fedpol.
It is 4.05pm in Lausanne when the White Collar Crime Unit receives an alert from Europol through the SIENA channel that a ransomware attack was imminent against an internationally active IT company in French-speaking Switzerland. An insidious situation: ransomware is a type of malware that allows criminals to access a computer and encrypt all the files. The user can then no longer access the files on his or her computer since the perpetrator has the key. To release the files the perpetrator demands a ransom. Criminals often copy the data before encrypting them and then sell them on the darknet.
Criminal encryption of data would not only be catastrophic for the company, but also for its customers. From the moment the cyber investigator on duty receives the alert, he knows the clock is ticking.
4.10pm at fedpol in Lausanne. The investigator passes the SIENA notification on to the cantonal police responsible. Seven minutes later he receives a reply saying that his cantonal colleagues are busy with another urgent case, and could fedpol please help. The investigator alerts the duty officer. The clock is ticking. fedpol takes over.
SIENA (Secure Information Exchange Network Application) is an online channel developed by Europol for Member States of the European Union and associated Schengen States to securely and confidentially exchange information on cybercrime. The channel offers various features that allow users to share case information while ensuring a high level of data protection. SIENA can also be used to request technical assistance with international investigative measures.
4.27pm, fedpol in Lausanne. A lead: to access the company’s network, the perpetrators used data comprising a long string of numbers and characters. The perpetrators have left their tracks in the company’s network, but where? This is where the investigation begins.
4.45pm, Switzerland. The data do not appear to be encrypted yet. Even so, the malware is still lurking on one of the company’s servers or computers. The investigator and the head of IT discuss the situation. Luckily, the head of IT is in Switzerland and can immediately take emergency measures. His security head is working in London, an hour behind Switzerland with the time difference. It is tea time in London, but that will have to wait. The clock is ticking.
5.22pm (4.22pm in London). A conference call between fedpol and the company’s head of security: emergency measures are in place: 100 computer specialists are available, some of them based in India: New Delhi is four and a half hours ahead (9.52pm) with the time difference. Their task is to search the servers for traces of the sequence of numbers and characters left behind by the perpetrators. They have a long night ahead of them and the clock is ticking.
5.29pm (4.29pm in London). The cyber investigator speaks with the head of the company’s legal department in London to find out about the company’s legal options. Will the company press charges? Where? Who has jurisdiction? The head of the legal department calls a meeting of the crisis unit: a successful ransomware attack, an encryption of data, a ransom demand is certainly a crisis.
5.59pm, fedpol, Lausanne. A meeting is held in the situation room of the White Collar Crime Unit. So far, the focus has been on police measures to avert damage. From this point forward, however, the focus is on coordinating police investigations to identify the perpetrators. Finding their digital fingerprints is crucial. The company will have to do this itself since its servers are spread around different locations. If the malware is found, GovCERT, the Computer Emergency Response Team (CERT) at the National Cyber Security Centre (NCSC), will investigate it. The clock is ticking
The National Cyber Security Centre NSCS is the federal competence centre for cyber security. It receives reports of cyber incidents from the public and the business world, analyses them and responds to the persons reporting the incident with an assessment and recommendations for further action. It supports the cantonal police and other federal authorities in dealing with cyber security incidents. The NSCS coordinates joint operations and the exchange of information in this area and provides support in analysing and combating cyber security incidents.
11.03pm, India (6.33pm in Switzerland). The IT specialists have found what they are looking for: There is indeed malware lurking on a server - a backdoor through which the perpetrators could have introduced the actual ransomware. The good news is that it hasn't gone that far yet - the investigators and IT specialists are a step ahead. The specialists carefully isolate the server from the network step by step and then pull the plug on it. Digital evidence is secured. In India, London and at the company headquarters in Switzerland, everyone heaves a sigh of relief.
6.45pm, fedpol, Lausanne. The cyber investigator is also satisfied. The danger has been successfully averted. An efficient exchange of information, effective police cooperation and a rapid response were the key to thwarting encryption. These same factors will also be decisive for the investigations that will follow.
The investigations can begin tomorrow. Right now, the clock is no longer ticking so loudly.