In a significant crackdown on cybercrime, law enforcement agencies have disrupted several notorious botnets and malware droppers commonly used in ransomware attacks. The operation, known as Operation Endgame, resulted in four arrests, more than 100 server seizures, and 2,000 domain takeovers. Led by authorities from France, Germany, and the Netherlands, with support from other countries and private industry partners, the takedowns occurred from May 27 to May 29.
The operation focused on disrupting various malware droppers such as IcedID, SystemBC, Pikabot, Smokeloader, and Bumblebee. Additionally, agencies successfully shut down Trickbot, a botnet that had been nearly eliminated by Microsoft in 2020 before its operators quickly restored its infrastructure. Europol emphasized how these malware droppers, though not inherently malicious, are used by attackers to bypass detection tools and deploy ransomware, spyware, and other forms of malware. Ransomware has become a growing threat and a persistent target of law enforcement efforts.
“This is the largest operation against botnets to date, which play a crucial role in the deployment of ransomware,” stated Europol in a press release. The action aimed to disrupt criminal services by arresting High Value targets, dismantling criminal infrastructure, and freezing illegal proceeds. The impact of the operation on the dropper ecosystem was global, as the malware taken down during the operation facilitated attacks involving ransomware and other malicious software.
Europol highlighted the specific purposes of the disrupted malware droppers: Bumblebee was typically used in phishing campaigns to deliver additional malicious payloads, while Smokeloader and SystemBC facilitated the installation of malware and threat actor communications, respectively. Pikabot and IcedID were used by threat actors to gain initial access to victim networks and deploy ransomware.
In addition to dismantling cybercriminal infrastructure, Operation Endgame led to the arrest of four individuals, one in Armenia and three in Ukraine. Eight additional suspects were identified and served summons but have not yet been arrested. Europol made it clear that the operation will continue beyond the initial takedown, with further actions to be announced on the Operation Endgame website and suspects involved in botnets being held accountable for their actions.
The operation also revealed the significant proceeds earned by ransomware actors through their attacks, with one suspect reportedly earning at least EUR 69 million in cryptocurrency by renting out criminal infrastructure sites for ransomware deployment. With ransomware attacks reaching historic highs in recent years, governments and law enforcement agencies worldwide have ramped up efforts to combat cybercriminal activities.
Jon Clay, VP of threat intelligence at Trend Micro, praised the effectiveness of the takedown, emphasizing the importance of arrests and infrastructure dismantling in combatting cybercrime. Despite the success of such operations, Clay noted the need for harsher sentencing to further deter cybercriminals and prevent their resurgence.
Ian Usher, deputy global practice lead for strategic threat intelligence at NCC Group, echoed the sentiment that these takedowns represent a significant blow to cybercriminals but stressed the need to assess their long-term effectiveness. Meanwhile, Alexandru Catalin Cosoi, chief security strategist at Bitdefender, highlighted the critical role of public-private sector coordination in combating cybercrime and emphasized the message that cybercriminals cannot hide from international efforts to track them down.
The success of Operation Endgame serves as a warning to cybercriminals that law enforcement agencies are increasingly aggressive in pursuing and dismantling criminal operations. While the impact of such actions can be substantial, the ongoing challenge lies in sustaining these efforts and ensuring long-term disruption of cybercriminal activities.