Disruption to cybercrime ecosystem could be significant, say researchers
As law enforcement and judicial agencies coordinated by Europol and Eurojust continue to dismantle a vast criminal infrastructure responsible for the deployment of ransomware attacks worldwide, what impact will this have on cybercrime threat levels?
The latest phase of Operation Endgame saw the coordinated takedown of nearly 300 servers and 650 domains used by cybercriminals, in what officials describe as a devastating strike to the ransomware kill chain.
The action mobilised law enforcement teams across multiple continents and led to the seizure of €3.5 million in cryptocurrency, bringing the total assets confiscated under Operation ENDGAME to over €21.2 million.
“This new phase demonstrates law enforcement’s ability to adapt and strike again, even as cybercriminals retool and reorganise,” said Catherine De Bolle, Europol Executive Director.
“By disrupting the services criminals rely on to deploy ransomware, we are breaking the kill chain at its source.”
Europol stated that this latest phase of Operation Endgame is specifically targeting new malware variants and successor groups that re-emerged after last year’s takedowns, which were hailed as the “largest-ever international action against botnets.”
The current focus is on “initial access malware,” which cybercriminals use to gain a crucial foothold in company systems before launching devastating ransomware attacks.
As Computing reported on Friday, the notorious DanaBot malware family was among the main targets. According to the US Justice Department, Danabot has facilitated ransomware attacks and fraud amounting to at least $50 million in damages.
As part of the operation, international arrest warrants were issued against 20 key cybercrime figures believed to be instrumental in providing or managing the infrastructure enabling ransomware attacks, most of which are Russian. Among those charged in connection with DanaBot are Aleksandr Stepanov, 39, and Artem Aleksandrovich Kalinkin, 34, both residents of Novosibirsk, Russia.
They face a litany of charges, including wire fraud, identity theft, damage to a computer, and wiretapping. Kalinkin could face up to 72 years in prison if convicted, while Stepanov faces five years.
Court documents indicate that while DanaBot developers and many affiliates were based in Russia, some users were in Russian-speaking countries like Poland. Computing published an analysis recently of the Russian-speaking cybercrime underground which provides more information about this type of network.
Global co-operation
During the operation week, a central Command Post was established at Europol’s headquarters in The Hague. Investigators from Canada, Denmark, France, Germany, the Netherlands, the United Kingdom, and the United States worked in real-time alongside Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT), sharing intelligence and coordinating enforcement actions across borders.
Eurojust played a pivotal role in judicial coordination, ensuring that legal frameworks across multiple jurisdictions were aligned and that investigative efforts were legally supported from the beginning of the case in early 2024.
Selena Larson, Staff Threat Researcher at Proofpoint, thicks this global co-operation could do some real damage to cybercrime networks. She said:
“The disruption of DanaBot, as part of the ongoing Operation Endgame effort, is a fantastic win for defenders, and will have an impact on the cybercriminal threat landscape. Cybercriminal disruptions and law enforcement actions not only impair malware functionality and use but also impose cost to threat actors by forcing them to change their tactics, cause mistrust in the criminal ecosystem, and potentially make criminals think about finding a different career.
“We’ve previously seen disruptions have significant impacts on the threat landscape. For example, after last year’s Operation Endgame disruption, the initial access malware associated with the disruption as well as actors who used the malware largely disappeared from the email threat landscape.”
Larson emphasised the importance of co-operation and intelligence sharing in the likely success of these operations.
“These successes against cyber criminals only come about when business IT teams and security service providers share much-needed insight into the biggest threats to society, affecting the greatest number of people around the world, which law enforcement can use to track down the servers, infrastructure, and criminal organizations behind the attacks. Private and public sector collaboration is crucial to knowing how actors operate and taking action against them. “
With cyber security continuing to be a major issue for organisations of all kinds, Computing is hosting a webinar next month, offering an answer to the question: Is your security strategy working for or against you? Register here.
