Europol, the DoJ and other law enforcement agencies “neutralized” a swathe of malware strains this week, which they said was a “direct blow to the ransomware kill chain.”

The actions were part of the ongoing Operation Endgame which targeted a series of botnets just over a year ago.

But it’s worth remembering that the latest actions were largely focused on “malware variants and success groups” that sprang up after last year’s operation.

The Eurocops said in a statement that together with Eurojust, it had coordinated actions that had “dismantled key infrastructure behind the malware used to launch ransomware attacks” since the beginning of the week

This had involved taking down 300 servers worldwide, spiking 650 domains and issuing international arrest warrants against 20 targets. The authorities also seized €3.5 million of cryptocurrency. That raises the total pot seized by the operation to €21.5 million.

The DoJ trumpeted its indictment of the of Rustam Rafailevich Gallyamov, 48, alleged to be the leader of the group begind the Qakbot malware strain.

It has also issue a forfeiture complaint for $24 million seized from Gallyamov over the course of the investigation. However, that is likely to be as hard as they can hit him, as he is based in Moscow.

Qakbot was initially targeted a year ago.

“Mr. Gallyamov's bot network was crippled by the talented men and women of the FBI and our international partners in 2023, but he brazenly continued to deploy alternative methods to make his malware available to criminal cyber gangs conducting ransomware attacks against innocent victims globally,” said Akil Davis, Assistant Director in Charge, at the FBI’s Los Angeles Field Office.

A mushrooming business

Other strains Europol said had been neutralized include Bumblebee, Lactrodectus, Hijackloader, DanaBot, Trickbot and Warmcookie.

Selena Larson, Staff Threat Researcher at Proofpoint, told The Stack: "Criminals will find ways to continue doing crime. For example, in email threat data, threat actors who distributed Qbot pivoted to Pikabot malware, which was then subsequently targeted for disruption in 2024 via Operation Endgame and removed from the threat landscape."

The loaders and botnets targted under Operation Endgame have largely disappeared, she said. While the criminals involved could pivot to other tools or techniques, she said, "Infrastructure disruptions, naming and shaming, and even temporary takedowns can have further impacts.

"For example, threat actors may be wary of buying such malware in the future, or working with the criminals associated with the malware, or even potentially make criminals think about finding a different career."

The identities of 18 suspects are due to hit the EU Most Wanted List today.

However, if they are proximate neighbours of Gallyamov, while some of their assets might be vulnerable to Western authoriries, it’s unlikely they’ll be in custody anytime soon.

Also this week, Europol worked with Microsoft to “disrupt” Lumma Stealer, which it described as the world’s “most significant infostealer threat”. The operation identified almost 400,000 infected computres and saw 1300 domains seized.

And Europol claimed that an “international sweep” dubbed Operation RapTor had led to the arrest of 270 dark web vendors and buyers, spanning drugs, weapons and counterfeit goods. Seizures included €184 mlllion cash and crypto, two tonnes of drugs, and over 180 weaprons.        

Join peers following The Stack on LinkedIn

The link has been copied!