Getty Images/iStockphoto

Law enforcement conducts 'largest ever' botnet takedown

An international law enforcement effort called 'Operation Endgame' disrupted several infamous malware loaders and botnets used by ransomware gangs and other cybercriminals.

In the latest high-profile law enforcement action against cybercrime, agencies disrupted several notorious botnets and malware droppers widely used in ransomware attacks.

Europol on Thursday announced that an international law enforcement action, dubbed Operation Endgame, led to four arrests, more than 100 server seizures and 2,000 domain takeovers. Europol said France, Germany and the Netherlands led the takedowns that occurred from May 27 to May 29. The operation also involved agencies from Denmark, the U.K., the U.S., Armenia, Bulgaria, Lithuania, Portugal, Romania, Switzerland and Ukraine as well as private industry partners.

Operation Endgame disrupted several malware droppers, including IcedID, SystemBC, Pikabot, Smokeloader and Bumblebee. Agencies also shut down Trickbot, a botnet Microsoft nearly eliminated in 2020 until operators quickly restored the infrastructure.

Europol emphasized that while droppers are not inherently malicious, attackers leverage them to bypass detection tools to deploy ransomware, spyware and other types of malware. Ransomware is a growing threat and a continued target of law enforcement operations.

"This is the largest ever operation against botnets, which play a major role in the deployment of ransomware," Europol wrote in the press release. "The actions focused on disrupting criminal services through arresting High Value targets, taking down the criminal infrastructure and freezing illegal proceeds. This approach had a global impact on the dropper ecosystem. The malware, whose infrastructure was taken down during the action days, facilitated attacks with ransomware and other malicious software."

Europol said Bumblee was typically deployed in phishing campaigns and used to deliver additional malicious payloads to victims' networks; Smokeloader was also used to install additional malware. SystemBC was used for threat actor communications between infected systems and command-and-control servers. Pikabot is a Trojan used by threat actors to gain initial access to victim networks. IcedID was originally developed as a banking Trojan but was later used as a malware dropper.

Europol noted that all the malware droppers and botnets disrupted during the operation are currently being "used to deploy ransomware and are seen as the main threat" in the attack chain.

In addition to dismantling cybercriminal infrastructure, Operation Endgame also resulted in four arrests of unnamed suspects. One individual was arrested in Armenia, and three were arrested in Ukraine. Agencies identified eight additional suspects who have not been arrested but were served summons, according to the official Operation Endgame website.

"Operation Endgame does not end today. New actions will be announced on the website Operation Endgame," Europol said in the press release. "In addition, suspects involved in these and other botnets, who have not yet been arrested, will be directly called to account for their actions. Suspects and witnesses will find information on how to reach out via this website."

Europol also shed light on the proceeds ransomware actors gained through their attacks. "Furthermore, it has been discovered through the investigations so far that one of the main suspects has earned at least EUR 69 million in cryptocurrency by renting out criminal infrastructure sites to deploy ransomware," the press release read.

Cybersecurity vendors observed historic highs for ransomware attacks in 2023, and the trend has continued into 2024. However, governments and law enforcement agencies across the globe have responded with various operations and actions against cybercriminals. For example, earlier this month, authorities identified and issued sanctions against the alleged LockBit ransomware gang ringleader known as LockBitSupp.

Jon Clay, vice president of threat intelligence at Trend Micro, told TechTarget Editorial that Thursday's takedown is the most effective type of action because it involved arrests and infrastructure takedown. Clay added that there's been several law enforcement actions this year, which shows agencies are becoming more aggressive in going after cybercriminal groups and threat actors.

While he applauded increased law enforcement activities and arrests, Clay said harsher sentencing is needed to further deter cybercriminals.

"The challenges has always been the ability to arrest the individuals involved with the action since taking down the infrastructure alone isn't a guarantee that the group stops their activities and typically only disrupts them for a short period while they rebuild," Clay said. "With this latest one, unless they arrested the entire group, we will likely see something arise in the future."

Ian Usher, deputy global practice lead for strategic threat intelligence at NCC Group, agreed that these types of takedowns are a significant blow to cybercriminals. However, he added that it remains to be seen how effective it will be in the long term. "It's another major success for the international law enforcement community, evidencing their ability to share intelligence and coordinate activity across international borders and jurisdictions," Usher said.

Alexandru Catalin Cosoi, chief security strategist at Bitdefender, which assisted law enforcement in Operation Endgame, said the effort highlighted how important private and public sector coordination is to fight against cybercrime.

"The success of this operation is a wake-up call for cybercriminals. They should understand if they are caught in the crosshairs of an international effort to find them, it is difficult to hide," Cosoi said.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.

Dig Deeper on Threat detection and response