THE HAGUE, Netherlands (AP) — Under coordination by the European Union’s justice and police agencies, authorities have dismantled computer networks responsible for disseminating ransomware through infected emails. This effort marks the largest international operation to counter such a lucrative cybercrime.
The European Union’s judicial cooperation agency, Eurojust, announced Thursday that police apprehended four “high value” suspects, decommissioned over 100 servers, and took control of more than 2,000 internet domains.
This enormous takedown, code-named Endgame, involved synchronized actions in Germany, the Netherlands, France, Denmark, Ukraine, the United States, and the United Kingdom. Eurojust added that three suspects were detained in Ukraine and one in Armenia, with searches conducted in Ukraine, Portugal, the Netherlands, and Armenia, according to EU police agency Europol.
This operation follows a string of international efforts targeting malware and ransomware operations, including the 2021 takedown of the Emotet botnet. A botnet is a network of commandeered computers typically used for malicious purposes.
Europol emphasized that this takedown is not the end. “Operation Endgame does not end today. New actions will be announced on the website Operation Endgame,” Europol stated.
Dutch police cited financial damages inflicted by the network on governments, companies, and individual users, estimated to run into hundreds of millions of euros (dollars). “Millions of people are also victims because their systems were infected, making them part of these botnets,” stated the Dutch police.
Eurojust revealed that one of the primary suspects amassed cryptocurrency worth at least 69 million euros ($74 million) by renting out infrastructure for spreading ransomware. “The suspect’s transactions are constantly being monitored and legal permission to seize these assets upon future actions has already been obtained,” Europol added.
The operation targeted malware “droppers” named IcedID, Pikabot, Smokeloader, Bumblebee, and Trickbot. Droppers are malicious software often spread in emails containing infected links or attachments such as shipping invoices or order forms.
“This approach had a global impact on the dropper ecosystem,” Europol noted. “The malware, whose infrastructure was taken down during the action days, facilitated attacks with ransomware and other malicious software.”
Dutch police advised that these actions should serve as a warning to cybercriminals that they can be apprehended. “This operation shows that you always leave tracks, nobody is unfindable, even online,” Stan Duijf of the Dutch National Police said in a video statement.
The deputy head of Germany’s Federal Criminal Police Office, Martina Link, described it as “the biggest international cyber police operation so far.” “Thanks to intensive international cooperation, it was possible to render six of the biggest malware families harmless,” Link said in a statement.
German authorities are pursuing the arrest of seven individuals suspected of being members of a criminal organization aimed at spreading the Trickbot malware. An eighth individual is suspected of being a leader of the group behind Smokeloader.
Europol stated that the eight suspects being sought by Germany will be added to its most-wanted list.
___
Associated Press writer Geir Moulson in Berlin contributed to this report.