FBI Links First VPN Service to 25 Ransomware Gangs and Botnet Operations, Urges Enhanced Cyber Defenses
The Federal Bureau of Investigation (FBI) has revealed that approximately 25 ransomware groups have exploited a criminal VPN service known as ‘First VPN Service’ to facilitate various cybercriminal activities, including network intrusions, scanning operations, botnet deployment, denial-of-service attacks, and scams. This service has been operational since around 2014, utilizing 32 exit nodes across 27 countries. Its existence has significantly impacted organizations by enabling cybercriminals to conduct reconnaissance, credential abuse, and broader malicious operations.
In a recent FLASH advisory, the FBI stated, “At least 25 ransomware groups, such as Avaddon Ransomware, have used First VPN Service infrastructure to perform network reconnaissance and intrusions.” The advisory further noted that the IP addresses associated with First VPN Service have been linked to various malicious activities, including scanning, botnet operations, and hacking. The service was predominantly advertised on well-known criminal dark web forums, such as Exploit[.]in and XSS[.]is, which serve as marketplaces for cybercriminals to trade unauthorized access to computer systems, stolen personal information, hacking tools, and other contraband. The FBI emphasized that the reporting pertains solely to First VPN Service and does not extend to other similarly named VPN providers.
International Takedown of First VPN Service
This alarming revelation coincided with a coordinated international operation to dismantle the First VPN Service, spearheaded by French and Dutch cybercrime units, with assistance from Ukraine, the United Kingdom, Switzerland, and Luxembourg. The operation underscores the VPN’s marketing strategy, which primarily targeted Russian-language dark web forums frequented by cybercriminals engaged in trading stolen data and hacking tools.
The FBI’s advisory highlighted the collaborative efforts of various law enforcement agencies, stating, “This operation was conducted by France’s Direction Régionale de la Police Judiciaire Brigade de Lutte Contre la Cybercriminalité (BL2C), and the Dutch National Police, National High Tech Crime Unit (NHTC), with assistance from Ukraine, the United Kingdom, Switzerland, and Luxembourg.”
The Rise of Ransomware-as-a-Service
Avaddon emerged in 2020 as a ransomware-as-a-service (RaaS) operation, heavily relying on phishing campaigns and affiliate-driven attacks targeting corporate networks, particularly within critical sectors such as manufacturing. In 2023, the U.S. Department of Health & Human Services’ Health Sector Cybersecurity Coordination Center (HC3) identified evidence suggesting that the newer NoEscape ransomware group may be a rebrand or successor of the now-defunct Avaddon operation, which ceased operations in 2021 after releasing decryption keys to victims amid increased law enforcement scrutiny.
The FBI has acknowledged that malicious infrastructure often resides on cloud or virtualized platforms where IP addresses are dynamically assigned. Consequently, addresses linked to malicious activities may later be reassigned to legitimate services. The agency advises that these indicators should be interpreted as historically observed infrastructure and corroborated with current network telemetry or additional intelligence sources.
Technical Insights into First VPN Service
The FBI detailed that First VPN Service offered various connection protocols, including OpenConnect, WireGuard, Outline, and VLess TCP Reality, along with multiple encryption options such as OpenVPN ECC, L2TP/IPSec, and PPTP. Users could also access technical support via a self-hosted Jabber server and Telegram encrypted messaging service. Notably, the VPN protocols ‘VLESS’ and ‘Reality’ allowed users to disguise VPN traffic as standard HTTPS traffic, complicating detection efforts.
The MITRE ATT&CK framework indicates that adversaries utilize proxy techniques under T1090, routing malicious traffic through VPN services like First VPN Service to obscure their true activity and evade detection. Additionally, under T1133, threat actors leverage external remote services via VPN infrastructure to gain unauthorized access to victim environments, often using valid credentials for persistence or follow-on operations.
Recommendations for Organizations
In light of these developments, organizations are urged to implement layered defensive controls that integrate network restrictions, identity-based protections, and behavioral monitoring to mitigate risks associated with anonymization services like First VPN Service. The FBI recommends blocking or closely monitoring known First VPN Service infrastructure by deny-listing associated domains and scrutinizing related IP addresses wherever feasible.
Security teams should continuously monitor connections to unapproved VPN infrastructure and newly identified IP addresses linked to anonymization services. The guidance also emphasizes the need for VPN-aware access controls, restricting authentication to corporate resources from approved networks or managed devices, and enforcing conditional access policies that flag logins from known VPN or proxy networks.
Furthermore, organizations should strengthen authentication security by mandating multi-factor authentication for all remote access services, including VPN, SSH, RDP, and cloud applications. Monitoring authentication attempts from unfamiliar IP addresses, geolocations, or autonomous systems is also critical. Organizations are encouraged to detect anomalous identity and session activity, such as impossible travel events or simultaneous sessions from geographically distant regions.
The advisory also calls for hardening remote access services by limiting SSH and management interfaces to trusted IP ranges or secure access solutions, such as bastion hosts and zero trust architectures. Direct exposure of management services to the public internet should be avoided whenever possible.
Additionally, defenders are urged to inspect and analyze network traffic for abnormal patterns, including lateral movement, scanning activity, and command-and-control communications originating from VPN-associated infrastructure.
The FBI recommends applying least privilege principles and network segmentation to minimize the impact of unauthorized access and restrict lateral movement within networks. Regular audits of firewall configurations are essential to close unnecessary ports and services that could expose systems to scanning or exploitation attempts. Given that VPN providers often use dynamically assigned IP addresses, reliance solely on IP-based blocking is cautioned against; instead, organizations should correlate indicators with behavioral analytics, endpoint telemetry, and identity context.
Organizations must also integrate threat intelligence feeds and monitor activities associated with known VPN, hosting, or proxy provider autonomous systems commonly linked to anonymization services.
Source: industrialcyber.co
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
