It's been a bad week for ransomware operators
A host of ransomware strains have been neutralized, servers seized, and key players indicted
Hundreds of servers have been taken down as part of an international law enforcement operation against ransomware groups.
Coordinated by Europol and Eurojust, the action saw key infrastructure dismantled over the last week, with 300 servers taken down, 650 domains neutralized, and nearly two dozen international arrest warrants issued.
In a statement confirming the campaign, Europol revealed more than €3.5 million in cryptocurrency was seized.
This brings the total amount netted during Operation Endgame - an ongoing, international operation against ransomware services and infrastructure - up to more than €21.2 million.
The operation focused on initial access malware, and neutralized the Bumblebee, Lactrodectus, Qakbot, Hijackloader, DanaBot, Trickbot, and Warmcookie malware strains.
Arrest warrants were issued against 20 individuals believed to be providing or operating initial access services to ransomware operators.
This latest phase of Operation Endgame follows on from the largest-ever international action against botnets in May 2024. That targeted the new malware variants and successor groups that had re-emerged after previous takedowns.
"This new phase demonstrates law enforcement’s ability to adapt and strike again, even as cyber criminals retool and reorganize," said Europol executive director Catherine De Bolle.
"By disrupting the services criminals rely on to deploy ransomware, we are breaking the kill chain at its source."
Europol has now put out a public appeal to track down suspects who are believed to have provided or operated the ransomware tools.
DanaBot ransomware criminals snared
Meanwhile, also as part of Operation Endgame, the US Department of Justice has indicted a series of people associated with two of the ransomware groups.
Russian national Rustam Rafailevich Gallyamov, 48, is charged with leading the cyber crime group that developed and deployed the Qakbot malware.
From 2019 onward, it's alleged, Gallyamov used the Qakbot malware to infect thousands of computers around the world as part of a botnet.
Once in, he's said to have provided access to co-conspirators who infected the computers with ransomware, including Prolock, Dopplepaymer, Egregor, REvil, Conti, Name Locker, Black Basta, and Cactus.
In exchange, he allegedly received part of the ransoms received from victims.
Similarly, another 16 people have been indicted for developing and deploying the DanaBot malware, which infected more than 300,000 computers around the world for fraud and ransomware, and which caused at least $50 million in damage.
"The enforcement actions announced today, made possible by enduring law enforcement and industry partnerships across the globe, disrupted a significant cyber threat group, who were profiting from the theft of victim data and the targeting of sensitive networks," said special agent in charge Kenneth DeChellis of the Department of Defense Cyber Field Office.
"The DanaBot malware was a clear threat to the Department of Defense and our partners. DCIS will vigorously defend our infrastructure, personnel, and intellectual property."
MORE FROM ITPRO
- What is polymorphic malware?
- Why ‘malware as a service’ is becoming a serious problem
- Malware-free attacks: The threat to businesses
-
The EU is charting a course to digital independence with the technological sovereignty packageNews New legislation looks to shore up digital sovereignty and reduce reliance on foreign tech
-
Anthropic warns AI is helping lower the bar for up-and-coming hackersNews AI is making it harder to differentiate between high and low-skilled actors
-
Ransomware cartels are fragmenting into volatile splinter groups, warns Met Police cyber chiefNews Commoditized "cyber crime bazaars" and AI data mining are forcing law enforcement to rewrite its playbook
-
New ransomware threat group, The Gentlemen, has become one of the most active ransomware operators, accounting for 10% of all attacksNews NTT researchers warn that the RaaS group is leveraging SystemBC malware to establish covert tunnelling, evade detection, and support rapid lateral movement across enterprise environments
-
Instructure chose to a pay ransom following the Canvas cyber attack – research shows more than half of security leaders would follow suitAnalysis Opting to pay ransoms creates huge risks for enterprises – you’re relying on the word of criminals
-
Claude users beware, hackers are using a fake website to dupe developers and deliver malwareNews 'Beagle' is deployed through a Dynamic Link Library (DLL) sideloading chain, and gives attackers remote access to the system
-
Ransomware negotiator sentenced for role in major cyber crime groupNews Deniss Zolotarjovs was a key player in a group associated with Conti
-
North Korean hackers are duping freelance developers with fake interviews to steal cryptocurrency and deliver malware — Sophos warns the 'Nickel Alley' group is using LinkedIn, Upwork, and Fiverr to target victimsNews A fake interview process uses coding tests and repo downloads to deliver malware
-
Threat actors ditch ‘spray and pray’ attacks in shift to targeted exploitationNews A dip in ransomware volumes points to a more targeted approach focused on vulnerability exploitation
-
Security leaders overconfident about ransomware recovery
News Few manage to recover all their data, and many experience business disruption
