Budapest Convention on Cybercrime and its Second Additional Protocol

In November 2022 the Cybercrime Convention Committee (T-CY) adopted a Guidance Note on Ransomware which shows how offences of the Budapest Convention on Cybercrime may comprise conduct related to ransomware attacks, how the procedural powers and international-cooperation tools of the Convention may be used to cooperate on ransomware offences, and how the Second Additional Protocol to the Convention on Cybercrime, once in force, will provide its Parties with further tools to obtain the disclosure of electronic evidence to investigate and prosecute offenders.  

 

 Guide for conducting criminal investigations of ransomware attacks

The Guide for criminal investigations of ransomware attacks provides an overview of the particularities of offences related to ransomware and focuses on the main steps and tools of investigation, collection and analysis of evidence, direct cooperation of criminal justice authorities with service providers and international cooperation. The guide also provides further resources and templates for the use of practitioners.

 

 Guide on seizing cryptocurrencies

The Guide on seizing cryptocurrencies was developed to serve as a "toolbox" for cybercrime investigators in hands-on activities related to virtual currencies. It provides criminal justice practitioners with a general overview on cryptocurrencies, legal actions that can be taken when targeting illicit activities, best practices on international level and rules of seizing/freezing virtual coins.

 

 Capacity building for practitioners

Capacity building is essential for effective action on ransomware and limitations in capacities and resources are a major obstacle to effective responses to this challenge. The specialized Cybercrime Programme Office (C-PROC) in Romania assists countries worldwide in the strengthening of their criminal justice capacities to counter the challenges of cybercrime and electronic evidence in line with the Budapest Convention on Cybercrime and its Protocols. More than 2100 activities benefitting over 130 countries have since been supported.

Domestic simulation exercises on effective sharing of data between cybersecurity and cybercrime communities promoted cooperation between cybersecurity and law enforcement authorities in the investigation of ransomware attacks, while regional exercises helped improve interagency and international cooperation for the investigation of ransomware attacks and for securing and sharing electronic evidence.

 

 Fora for trust, dialogue and partnerships

Fora for trust, dialogue and partnerships among practitioners such as EUROJUST/Council of Europe conference on ransomware, workshops on ransomware and on financial (virtual currency) investigations during Octopus Conferences, or supporting the participation of experts in relevant training and events organized by other organizations significantly contribute to enhanced cooperation and joint responses to ransomware.

 

 Materials and Tools

Materials and Tools on ransomware and related financial investigations developed by the Council of Europe within its capacity building programmes provide practitioners with training opportunities and resources to further strengthen their skills and knowledge on investigation of ransomware attacks and handle electronic evidence.