Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions

Governments take the fight to ransomware scammers

Phishing messages are the most common initial attack vector

Skull shape in a red digital environment
  • Tuesday 30 May 2023

Ransomware is now the biggest threat to our digital security. As the impact of attacks has become more and more serious, governments and security services have started to fight back. They are responding with new legislation, collaboration on the identification and pursuit of attackers, and measures to prevent ransom payments.

Phishing has overtaken RDP abuse as the main initial attack vector for getting ransomware inside organisations. So a lot can be gained by adopting modern mail security standards.

Losses running to billions

According to ENISA's report Threat Landscape 2022, ransomware is now the biggest threat to our digital security. More than 10 Tbyte a month is held to ransom, and an estimated 60 per cent of victims pay up. The amount of money handed over runs into billions [1], but the total cost of the attacks is typically far greater than the ransom alone [1]. However, it does seem that willingness to pay up is declining [1, 2].

It's also worth noting that there is considerable overlap between ransomware and several of the 7 other types of threat distinguished by ENISA: 'threatening data', 'threatening availability' and 'supply chain'.

Phishing is the main initial attack vector

According to ENSA, phishing is now the main initial attack vector for getting ransomware inside organisations [1]. It has overtaken abuse of the Remote Desktop Protocol (RDP), whose significance has declined, at least in relative terms. The reason why both vectors are popular with scammers is that they're cheap. However, the ENISA also flags up a trend towards more sophisticated attack methods, based on spear phishing.

Time series of ransomware incidents from May 2021 to June 2022. In red bars the numbers of ransomware incidents is shown. In blue bars the cumulative amount of stolen data is shown.

Continuing evolution of ransomware

Ransomware attacks have long since progressed from the mere encryption of data and recent backups (holding availability hostage). Nowadays, data is typically stolen (data exfiltration) and published online or resold ('lock-and-leak') if the victim doesn't pay up (holding confidentiality hostage). Another development is the increasing popularity of Monero as the scammers' cryptocurrency of choice for ransom payments, rather than Bitcoin. The explanation being that Monero transactions cannot be traced.

It's increasingly common for a victim's customers to be informed directly or via the media that data concerning them has been stolen. In the most benign scenario, customers are merely used to apply pressure to the targeted organisation. Sometimes, however, the customers are themselves blackmailed by the crooks, in what's known as a 'supply chain' attack). Another prevalent strategy is now to combine a ransomware attack with a DDoS attack (RDoS) to form a triple/quadruple ransomware attack.

At the same time, ENISA has observed a contrasting trend (actually a shift from 'lock' to 'leak'): it's more and more common for a victim's data not to be encrypted but exfiltrated and then used to blackmail the victim. That saves the attackers from having to attempt complex and error-prone encryption and decryption processes. It also means that a victim cannot save the situation (i.e. restore their infrastructure) by falling back on a backup.

State actors

In recent years, governments have become actively involved in the fight against ransomware, partly because of the seriousness of the attacks, and partly because it's become increasingly common for critical infrastructure operators and government entities to be targeted. Services are brought down, key information resources are rendered inaccessible [1, 2] and highly confidential information about citizens is stolen and published [1], including identity documents [1, 2, 3].

According to ENISA, both the growing involvement of state actors [1] and hacktivists, and the upturn in attacks on (critical) public infrastructures have much to do with the Russia-Ukraine war. Another significant state actor is North Korea, whose strategies involve using ransomware [1, 2] to obtain cryptocurrencies and foreign currencies [Lazarus Group, WannaCry]. If you're interested in this topic, we recommend listening to the BBC's podcast The Lazarus Heist, whose second series began recently.

As geopolitical tensions continue to rise, ENISA expects state involvement to increase further in years to come. ENSA also believes that geopolitical tensions are one of the main drivers behind the growth of DDoS attacks, the biggest cybersecurity threat after ransomware.

Another reason for government intervention is the major social impact that ransomware attacks can have. A quarter of all attacks analysed by ENISA were aimed at the public sector, and government departments were by far the most seriously affected by all 5 of the defined impact types.

Zero-day vulnerabilities

One consequence of greater state involvement is the increased focus on 'zero-day' vulnerabilities. That's due partly to the fact that, in some countries, such vulnerabilities must be reported to the government. However, the main reason is that the detection of zero-days is an expensive undertaking. Open-source software (libraries) provides an obvious point of entry for supply chain attacks, facilitating the detection of zero-day and other vulnerabilities, or providing a vehicle for an attempt to inject code.

National security threat

Various governments have now labelled ransomware a threat to national security. That's led to a variety of governmental anti-ransomware initiatives, including the development of legislation. In the US, for example, a Ransom Disclosure Act is proposed, requiring victims to report ransom payments to the government (CISA) [Stop Ransomware]. More recently, the US passed the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), under which critical infrastructure operators will soon be obliged to report incidents. According to the UK's NCSC, reporting to and cooperation with the authorities are vital elements of anti-ransomware strategy.

Australia is now considering completely outlawing ransom payments, as several US states have already done. Meanwhile, the Counter Ransomware Initiative has proposed a more nuanced policy of outlawing ransom payments except in certain extreme circumstances, where public sector entities are threatened.

Government intervention

Alongside legislation, we are seeing more and more international initiatives aimed at tracing ransomware attackers and bringing them to justice [1]. Last autumn, 30 countries, including the Netherlands, met in Washington to discuss a collective international response to the ransomware threat. The aim of this Second Counter-Ransomware Initiative was to define standards for a multifactor strategy [1, 2].

As well as increasing the scope for identifying and prosecuting attackers, international collaboration is intended to frustrate attackers' ability to make use of extorted money. One way of doing that is to take down crypto-tumblers. Recently, for example, ChipMixer and Tornado Cash have been tackled (although not everyone approves [1, 2, 3]).

The most significant development from the Counter-Ransomware Initiative gathering has been formation of the International Counter Ransomware Task Force.

Cat and mouse

In their efforts to trace attackers, the authorities have offered huge rewards for tip-offs and information [1, 2]. In many cases, long prison sentences have also been handed down to attackers [1, 2].

FBI image showing a reward of up to $10 million for the tip leading to the arrest of Mikhail Pavlovich Matveev.

In response to the crackdown, hacker gangs have shown an increased tendency to disband quickly, only to subsequently reappear under a new name, and sometimes with different members, complicating efforts to hold them to account.

Geopolitical implications

Another response to the growing involvement of state actors in ransomware attacks, and to their serious societal impact, has been that the military and national security services are playing an increasing role in the pursuit of attackers. The biggest attacks even have geopolitical implications sufficient to command the personal attention of the US president.

For example, the REvil group's supply chain attack on Kaseya created such waves that several group members were arrested by Russia's FSB. After another serious infrastructure attack targeted the Colonial Pipeline in the US, the group behind the attack (DarkSide, related to REvil) was forced to disband. The FSB's intervention in the first case was a result of the US president taking up the matter with his Russian counterpart. Then DarkSide's disbandment followed the president's threat to unilaterally impose sanctions.

One illustration of the seriousness of the impact of ransomware attacks is that they often lead to governments declaring a state of emergency. In the US, for example, a regional state of emergency was declared following the Colonial Pipeline attack. The states of Oakland [1] and Louisiana [1] took similar action following ransomware attacks, as did the government of Costa Rica [1, 2, 3].

Military and state security service involvement

ENISA envisages that the military and national security services will be made responsible for defence, counterattack, information gathering, ransom retrieval, attacker apprehension and efforts to make ransomware attacks less lucrative.

Indeed, the Dutch government announced 2 years ago that it would deploy the military and security services in a scenario where national security was threatened by a ransomware attack.

Meanwhile, Google reported not long ago that the frequency of ransomware attacks on organisations in the US and other NATO countries had not increased in recent times. That was attributed to high-level interventions such as those described above, and to victims' increasing reluctance to pay ransom.

NIS2

At the European level, the Network and Information Systems 2 Directive (NIS2) was published late last year [1]. The directive defines the protection measures and rules that operators of essential services and critical infrastructure must adopt and follow [1].

The main difference between NIS2 and its predecessor NIS1 is that much wider groups of industries and service providers are now considered 'critical' (see the lists in Annexes I and II to the directive). Whereas the sectors listed in Annex I are designated as being 'of high criticality', those listed in Annex II are merely 'critical'. As such, they are not required to meet the strictest security criteria, but operators in the relevant sectors are required to report incidents. The sectors of high criticality listed in Annex I include 'Digital infrastructure', a heading that covers TLD name registries (SIDN being one) and DNS service providers.

Dutch transposition of NIS2

NIS2's implementation in Dutch law (known in EU jargon as 'transposition') has to be completed by the end of 2023. The new legislation will then come into effect, superseding the current Network and Information Systems Security Act (Wbni) by the end of 2024 [1].

The new legislation will be based on the Dutch Cybersecurity Strategy 2022-2028, published last autumn. That strategy in turn draws upon the findings of the National Cybersecurity Survey 2022 (CSBN). The National Cyber Security Centre (NCSC) serves as an advisory body for organisations in relevant sectors.

Industry

According to ENISA, the biggest victim of financially motivated ransomware attacks is industry, for the simple reason that industrial companies are most likely to pay ransom if their processes are interrupted for days or even weeks. Businesses are advised to prepare for incidents affecting their operational infrastructure, and to secure and compartmentalise their networks more effectively. That implies paying much closer attention to information security.

Big businesses are considered capable of supporting the cost of such measures, and of acquiring or hiring the necessary expertise. According to the Dutch National Bank (DNB), the European digital attack insurance market is underdeveloped, particularly for businesses below the multinational tier. The bank expects security to improve across the board as the market matures and insurers make requirements regarding clients' infrastructures, and as associated services become available [1].

Smaller organisations

For smaller organisations, arranging effective security against ransomware attacks is significantly harder. In the Netherlands last year, the Association of Netherlands Municipalities' Information Security Service (IBD) received 300 requests for assistance from members facing security incidents. As well as being twice as frequent as the year before, the IBD reports that the incidents are increasingly likely to involve the prolonged interruption of municipal processes by ransomware [1]. (Cyber-)mayors are therefore calling for more attention and resources to be devoted to tackling the ransomware problem.

A covenant between the Association of Netherlands Municipalities and the central government has since been drawn up, as provided for in the Action Plan accompanying the Dutch National Cybersecurity Strategy 2022-2028. The covenant identifies 3 primary objectives:

  • Identification of digital security concerns and assignment of responsibilities

  • Promotion of security awareness amongst residents, organisations and the municipalities themselves

  • Structural funding of local information security

Small and medium-sized enterprises

SMEs will generally have to fend for themselves, albeit with some help from the government. In the Digital Economy Strategy Document, the Minister of Economic Affairs identifies 5 ambitions for further digitisation of the Dutch economy. An important element of the strategy is to increase the digitisation of SMEs from 75 to 95 per cent, while ensuring appropriate security.

The government intends to help the business community realise that goal by actively informing individual organisations about vulnerabilities. Last summer, for example, Digital Trust Center (DTC) added a notification service to its support package, through which individual organisations can be proactively contacted about serious system vulnerabilities or tangible threats. In the US, the CISA has a comparable system specifically for ransomware risks: the Ransomware Vulnerability Warning Pilot (RVWP) [1].

Previously, the Dutch Enterprise Foundation (RVO) offered SMEs grants of up to 2500 euros for digitisation, including steps to secure the associated infrastructure. However, the Minister of Economic Affairs doesn't envisage providing a cyber-helpline for SMEs, or a fund to cover ransom payments. The Minister takes the view that SMEs should rely on the market for incident support and insurance.

Online crime reporting?

In its Internet Crime Report 2022, the FBI says that ransomware reports were received from 870 organisations in 2022, far more than the year before.

Bar chart that provides insight into the number of times a particular infrastructure sector fell victim to ransomware

In the Netherlands, the national police -- to whom 350 ransomware incidents were reported in the previous 3.5 years -- have for years been saying that they are working towards enabling the online reporting of ransomware attacks. However, the Security Research Council (OVV) believes that there is a growing discrepancy between the digital threat level and the associated preparedness level. After carrying out a survey of small businesses and sole traders, the DTC recently came to a similar conclusion, reporting that "the development of resilience amongst such enterprises does not appear to be keeping pace with the development of new attack methods by cybercriminals."

Internet infrastructure security

Although one would expect that internet access providers would have better security arrangements than the average network operator, they too are of course liable to suffer ransomware attacks on their infrastructures. Very recently, for example, SKP in South Holland was targeted. At the time of writing, the company has been working to restore its services for the past week.

Here at SIDN, we've been promoting the adoption of modern internet standards for many years. Nevertheless, with phishing now established as the main attack vector for ransomware, we feel it's important to restate the importance of mail system security standards: DANE for mail secures mail transport (the TLS certificate of the receiving Message Transfer Agent, MTA). The DKIM, SPF and DMARC protocols protect against phishing, spam and virus/malware distribution by securing the sender (the sending e-mail address), the host (the sending e-mail system) and the contents of the message. We have published a series of detailed hands-on guides to the configuration of those standards in the popular mail software packages Exim and Postfix. Check them out!