Law Enforcement Agencies Disrupt Initial Access Malware Operation Linked to Ransomware Deployment

A significant law enforcement initiative has successfully dismantled critical initial access malware used in orchestrating ransomware attacks. This operation, coordinated by Europol and announced on May 23, marks a crucial progression in an ongoing effort to dismantle and prosecute cybercriminal factions globally, known as ‘Operation Endgame.’

The latest phase of this operation zeroes in on malware variants that facilitate ransomware attacks, which are integral to the cybercrime-as-a-service (RaaS) ecosystem. Law enforcement agencies have managed to neutralize various malware strains frequently utilized by initial access brokers operating in the RaaS marketplace. The following malware variants were targeted:

– Bumblebee
– Lactrodectus
– QakBot
– Hijackloader
– DanaBot
– TrickBot
– Warmcookie

Europol has indicated that these variants are typically marketed as services to other cybercriminals, providing the groundwork for substantial ransomware assaults.

In total, authorities successfully took down 300 servers worldwide and seized 650 domains associated with these malware strains over the course of the operation from May 19 to May 22. Additionally, international arrest warrants have been issued for 20 individuals believed to be facilitating or operating initial access services for ransomware operators. Law enforcement’s actions also resulted in the confiscation of approximately €3.5 million ($3.9 million) in cryptocurrency, significantly raising the total seized during Operation Endgame to €21.2 million ($24 million).

Europol stated that this operation has dealt a “direct blow” to the ransomware kill chain, underscoring its impact. Investigators from Canada, Denmark, France, Germany, the Netherlands, the UK, and the US collaborated with Europol’s European Cybercrime Centre and its Joint Cybercrime Action Taskforce to execute the operational plan.

The recent phase of Operation Endgame follows the largest coordinated law enforcement strike against botnets, which occurred in May 2024, disrupting malware droppers such as IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot. Both Bumblebee and TrickBot re-emerged following that action and were subsequently targeted in this latest operation.

This initiative is part of broader law enforcement crackdowns on international cybercrime that includes collaboration with Microsoft to disrupt the infrastructure of Lumma Stealer, one of the world’s most notorious infostealer operations. Furthermore, on May 22, Europol announced the findings of Operation RapTor, which focused on fentanyl and opioid trafficking as well as the sale of other illicit goods and services on the dark web, resulting in 270 arrests of dark web vendors and buyers across four continents.

In conjunction with Operation Endgame, US authorities have brought charges against various individuals suspected of being involved in the development and deployment of the QakBot and DanaBot malware. A federal indictment issued on May 22 charges Rustam Rafailevich Gallyamov, aged 48, from Moscow, Russia, as the leader of a cybercriminal group responsible for Qakbot malware. Additionally, 16 Russians have been charged regarding the development and deployment of DanaBot malware. The US highlighted the cooperation of numerous tech companies, including Amazon, Crowdstrike, ESET, Flashpoint, Google, Intel 471, Lumen, PayPal, Proofpoint, Spycloud, Team CYMRU, and ZScaler in the DanaBot investigation.