.png)
12 hours ago
28
In the latest phase of Operation Endgame, an international law enforcement operation, national authorities from seven countries seized 300 servers and 650 domains used to launch ransomware attacks.
"From 19 to 22 May, authorities took down some 300 servers worldwide, neutralised 650 domains, and issued international arrest warrants against 20 targets, dealing a direct blow to the ransomware kill chain," according to the joint action's official website.
"In addition, EUR 3.5 million in cryptocurrency was seized during the action week, bringing the total amount seized during Operation Endgame to EUR 21.2 million."
Together with private sector partners, authorities coordinated by Europol and Eurojust targeted multiple cybercrime operations, including Bumblebee, Lactrodectus, Qakbot, DanaBot, Trickbot, and Warmcookie.
These malware strains are frequently provided as a service to other cybercriminals and are used to gain access to the networks of victims targeted in ransomware attacks.
"This new phase demonstrates law enforcement's ability to adapt and strike again, even as cybercriminals retool and reorganise. By disrupting the services criminals rely on to deploy ransomware, we are breaking the kill chain at its source," Europol Executive Director Catherine De Bolle added.
DanaBot charges
On Thursday, the U.S. Department of Justice also unsealed charges against 16 defendants allegedly part of a Russian cybercrime gang that controlled the DanaBot malware operation.
The U.S. authorities named eight of the 16 Russian nationals indicted (Aleksandr Stepanov, Artem Aleksandrovich Kalinkin, Danil Khalitov, Aleksey Efremov, Kamil Sztugulewski, Ibrahim Idowu, Artem Shubin, and Aleksey Khudiakov), while eight others were mentioned by their pseudonyms.
According to a complaint, they used the botnet to deploy additional malware payloads, including ransomware, and have infected over 300,000 computers globally, causing damages exceeding $50 million.
DanaBot malware has been active since 2018, and it operates on a malware-as-a-service model and allows administrators to lease access to their botnet and support tools for thousands of dollars per month. The malware can also hijack banking sessions, steal data and browsing histories, and provide full remote access to compromised systems, enabling keystroke logging and video recording of user activities.
DanaBot's admins have also used a second version of this botnet for cyberespionage purposes, targeting military, diplomatic, and government organizations.
"This version of the botnet recorded all interactions with the computer and sent stolen data to a different server than the fraud-oriented version of DanaBot," the Justice Department said. "This variant was allegedly used to target diplomats, law enforcement personnel, and members of the military in North America, and Europe."
Previous Operation Endgame actions
This week's action follows multiple other Operation Endgame phases, including the seizure of over 100 servers hosting over 2,000 domains used by multiple malware loader operations, including IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader, and SystemBC.
Since then, law enforcement agents also arrested a Conti and LockBit ransomware crypter specialist in June 2024, who helped make the malware undetectable by antivirus software.
In April, police also tracked down Smokeloader botnet's customers and detained at least five individuals using intelligence obtained after seizing a database containing information on cybercriminals who paid for Smokeloader subscriptions.
This week, Russian national Rustam Rafailevich Gallyamov, the leader of the Qakbot malware operation that compromised over 700,000 computers and enabled ransomware attacks, was also indicted in the United States.
Additionally, approximately 2,300 domains were seized earlier this month in a Microsoft-led disruption action targeting the Lumma malware-as-a-service (MaaS) information stealer operation.
