Melissa: a collaborative ransomware fight

Ransomware is hostage software that cybercriminals use to encrypt individuals’ or organizations’ data so that it is no longer accessible. Only after paying a ransom (“ransom”) will you regain access to the data. Ransomware attacks can disrupt our society: businesses are shut down, hospitals can no longer provide care, important personal data is stolen from municipalities or other organizations. This stolen data is sold or used for other forms of (cyber) crime. Moreover, our national security may be compromised if vital systems are threatened with failure. Thus, many people and organizations can become victims, and the social impact of ransomware attacks is enormous.

There is currently too little insight into the extent of the threat of ransomware and other forms of cybercrime for the Netherlands. This is partly due to the lack of information (sharing) and joint analysis by the parties with a role in combating this type of cybercrime. Parties all have “pieces of the puzzle,” but they are not adequately put together. This stands in the way of effective control.

A chain-wide approach is needed, from prevention to investigation and prosecution. Through the partnership “Melissa,” we aim to make this a reality. We want to combat ransomware and other related forms of cyber-attacks more effectively and efficiently by bringing together the expertise of public and private organizations. How we do that? By sharing better information about threats and incidents, by cooperating better in the event of incidents and, in addition, providing effective action perspectives to society, which we have obtained from shared experience.

By sharing relevant information with each other, we as collaborating parties will have a more complete overview of the chain of attack, and the operational and tactical information associated with it. This allows us as a chain to optimally perform our public duty, serve the public interest and prevent and limit damage.

The Police, the Public Prosecutor’s Office (OM), the National Cyber Security Center (NCSC), Cyberveilig Nederland (CVNL) and several private parties from the cybersecurity sector have been working hard for the past year and a half on this public-private partnership called “Melissa. Cybersecurity companies operate on the front lines against criminals and other malicious actors who cause great harm to Dutch interests and economy. By working better together and sharing more information with each other, we can really make a difference and make the Netherlands an unattractive target for cybercriminals.

While setting up the collaboration, it emerged that several organizations were dealing with a negotiator named “Melissa” in contacts with cybercriminals. Melissa appeared to negotiate on behalf of several cybercriminal organizations: information that was very useful to both private and public parties. The continued cooperation and creation of the covenant was therefore named “Melissa.

The goal of the Melissa partnership is to make the Netherlands an unattractive target for the ransomware attack chain. To achieve this objective, we will:

• Structurally share relevant (tactical and operational) knowledge and information so that affiliates have a better understanding of the ransomware attack chain. This allows us to optimally perform our (public) tasks, serve the public interest and prevent and limit damage;
• Improve (public-private) cooperation, by sharing knowledge and information through, among other things, standardized consultations and designated communication channels; and;
• Provide action perspectives to society by publishing knowledge products and information documents.

Within the partnership, the legal, organizational and technical expertise required to counter ransomware attacks has been established. Several unique specialties and experiences of the various participants are brought together: lawyers, forensic specialists, investigators, prosecutors, policy officers, incident responders are all united in Melissa.

The cooperation is defined in a covenant, which was signed at the ONE conference on Oct. 3, 2023.

There was already knowledge exchange and joint work on products (white papers) and ransomware statistics collected and shared. Close cooperation was also already taking place on the basis of certain investigations or information (Operation Deadbolt and Qakbot), but with the agreements made in the covenant, a legal basis has been established to structurally exchange information with each other. This should ultimately ensure that ransomware incidents are prevented, the impact of an incident is smaller and the suspects can be prosecuted more quickly criminally.

Affiliates share their information on ransomware incidents with the NCSC on a structural (monthly) basis. It is mainly operational and tactical information. For example: system data, such as addresses of servers, hosting providers, and so on. The NCSC processes these in a report and shares it with all Melissa affiliates.

These are data that are traceable to an organization and not (without more) to a natural person. Occasionally, the information shared will include personal data or may be traceable to a natural person. These personal data are processed in the affiliated parties’ own data files, based on the laws and regulations applicable to the parties. There is also a duty of confidentiality that every organization affiliated with Melissa must abide by.

Information within Project Melissa is shared in a variety of ways. Technical information is shared:

• through a special platform “MISP,” which is hosted by Cyberveilig Nederland
• through a dedicated platform ‘Mattermost’ and a monthly survey through Securened, which is hosted by the National Cyber Security Center (NCSC)

In addition, monthly meetings are organized where affiliates discuss various technical, policy and legal developments.

We do this through various projects and actions, such as:

• Knowledge sharing and exchange on ongoing ransomware cases through monthly tech sessions
• The collaboration has already led to concrete actions: operation deadbolt and qakbot.
• Putting the pieces of information together gives us a better view of the problem of ransomware. As a result, we are also better able to prevent/fight.

The partnership consists of several parties from the public sector (Police, Public Prosecutor’s Office and National Cyber Security Center) and from the private sector (Cyberveilig Nederland and some of its members).

Public Parties:

• the Police,
• the Public Prosecutor’s Office (OM),
• the National Cyber Security Center (NCSC),

Private Parties:

• Trade association Cyberveilig Nederland (CVNL).
• And the following members in alphabetical order:
  • Computest
  • DataExpert
  • Deloitte
  • Fox-IT
  • NFIR
  • Northwave
  • Kennedy and van der Laan
  • Tesorion
  • Trellix
  • Responders

The cooperation began in 2022 and was formalized on Oct. 3, 2023. The term is three years, and it can be renewed for one year at a time.

Cooperation in Melissa is primarily focused on attacks on organizations, or incidents affecting the Netherlands’ critical infrastructure. There are other initiatives for citizens, which incidentally include one or more parties involved in Covenant Melissa. Consider, for example, NoMoreRansom and Alert Online. Of course, the project’s knowledge and expertise does feed into the fight against ransomware on civilians.

Within the Collaborative, tactical and operational data regarding cyber-attacks will be shared. In most cases, this will be actual data, such as malware and legitimate software used and server IP addresses. There is no large-scale processing of personal data, but the information shared may contain personal data. Consider, for example, communications with a suspected criminal group, or a crypto wallet directly connected to person. The information shared within this collaboration is based on targeted research and has been obtained within legal frameworks.

Yes. Information sharing is within the legal frameworks of member organizations. This is established in:

• Article 3 of the Police Act,
• Article 124 of the Judicial Organization Act (RO Act);
• Article [3] of the Network and Information Systems Security Act (Wbni);
• The legitimate interest of the Private Parties pursuant to Article 6(1)(f) AVG and Article 89 AVG.
• The Network and Information Systems Security Act (Wbni);

There is a legal basis for public organizations to share information with each other. Cyberveilig Nederland has also been designated by the Ministry of Justice and Security as link organizations (OKTT) under the Network and Infrastructure Protection Act (wbni).

In addition, private parties such as Data Expert, Deloitte, Fox-IT, NFIR, Northwave and Tesorion are licensed to share information (and personal data of a criminal nature) with each other (under the Private Security Organizations and Investigation Agencies Act).

Responders.NU is currently initiating an application to obtain such a permit. As for Computest, Kennedy Van der Laan (legal profession) and Trellix, they do not have such a license and by the nature of their activities (at present) do not qualify for one. However, they either have a non-disclosure agreement (legal profession) or have a steadfast partnership with one of the public parties on ransomware.

Knowledge and skills are shared and parties know how to find each other quickly. There have also been some concrete products and (detection) successes from this cooperation:

• Two white papers have been published, sharing knowledge and expertise (and providing insight and action perspectives):
  • Whitepapers ransomware
  • Whitepaper data exfiltration
• There have been several successes by the police and prosecutors in investigation and prosecution, including in investigations:
  • Deadbolt
  • Genesis Market
  • Quakbot
• Information about ransomware attacks are shared monthly that are processed into a statistic.
• Several working methods and instructions have been tightened, including an improved declaration process

Each year at the board level, progress is discussed, and goals are evaluated.

Every organization – both public and private – was already working and collaborating on ransomware issues. Through the partnership “Melissa,” this information, knowledge and expertise is now exchanged on a structural basis. This should ultimately ensure that incidents are prevented, the impact of an incident is reduced and suspects can be prosecuted more quickly criminally.

Both the Prosecutor’s Office, the Police and the NCSC already work together internationally, and a number of private parties affiliated with Melissa also already work internationally. Much of the knowledge and expertise built from Project Melissa will therefore be shared with these international collaborations.

Ransomware is considered such a big problem by the Dutch government because it leads to social disruption, and has risks to our national security. Private parties involved also see that the bulk of cybersecurity incidents affecting organizations come from ransomware.

This is possible in time. Currently, the collaboration consists of named public organizations and cybersecurity companies affiliated with Cyberveilig Nederland. It is certainly the intention to expand the project to other organizations that want to actively share information about ransomware.
However, a number of entry requirements have been established. For example, the private parties involved must have a quality mark and/or search license acceptable in the Netherlands, or have a legal framework for confidentiality (such as lawyers).Private parties that have a cooperation with the NCSC, the Police or the Public Prosecution Service in the field of increasing resilience or investigation and prosecution, can also be admitted.