Euro cops disrupt malware droppers, seize thousands of domains

An international law enforcement operation led by Europol has kicked off with the announcement of multiple arrests, searches, seizures and takedowns of malware droppers and their operators.

Operation Endgame's first action days earlier this week saw the EU task force and its law enforcement partners from the US and UK coordinate to disrupt the operations of malware droppers including IcedID, Bumblebee, SystemBC, Pikabot, Smokeloader and the late Trickbot.

Droppers, for those unaware, are malware used to facilitate the installation of other malware on infected systems. Droppers are typically installed first as part of the initial access process and are transmitted via phishing emails and other common initial access vectors. 

Europol described the beginning of Operation Endgame as "the largest ever operation against botnets, which play a major role in the deployment of ransomware." According to the international cop group, law enforcement coordinated to make four arrests, search 16 locations, seize more than 100 servers - including some located in the US and UK - and take down more than 2,000 domains used for disseminating malware and committing other cyber crimes. 

Three of the arrests were made in Ukraine, with a fourth person being picked up in Armenia. Names weren't disclosed, but Europol said its investigation uncovered at least €69m in cryptocurrency earned by the main suspects for renting out their illegal infrastructure for ransomware deployment. 

Along with the four arrests, German law enforcement also added eight fugitives to the EU's most wanted list for involvement in the cybercrimes Operation Endgame was targeting and other "serious cybercrime activity." 

The announcement of Operation Endgame's successful week comes a day after the United States Department of Justice announced that it had disrupted what it described as possibly being the world's largest botnet, the 911 S5 residential proxy network. 

• LockBit ransomware gang disrupted by global operation
• First LockBit, now BreachForums: Are cops winning the war or just a few battles?
• Mandiant: Orgs are detecting cybercriminals faster than ever
• Feds dismantle Russian GRU botnet built on 1,000-plus home, small biz routers

As in the case Endgame, DoJ officials made at least one arrest as part of their action against 911 S5, a botnet they claim included more than 19 million compromised Windows machines spread around the world. Twenty-three domains and more than 70 servers were seized, and around $60m in ill-gotten gains were recovered, as part of the US action. 

Europol officials told The Register that the US's botnet takedown yesterday had no connection to Operation Endgame's seizures. 

Beyond that, Endgame isn't anywhere near its end game yet - today's announcement is just the first of more to come, Europol told us, pointing us to a new Operation Endgame website where future actions will be announced, and where cops will try to goad cybercriminals into turning themselves in. 

"This is Season 1 of Operation Endgame. Stay tuned. It sure will be exciting," the cybercops behind the operation said. "Maybe not for everyone though." ®