From May 19 to 22, law enforcement agencies from seven countries, coordinated by Europol and Eurojust, conducted a large-scale cyber operation, Endgame 2.0, aimed at destroying the underlying malware infrastructure — the downloaders that launch the chain of attacks. This is one of the largest strikes on the cybercrime industry.
From May 19 to 22, law enforcement agencies from seven countries, coordinated by Europol and Eurojust, conducted a large-scale cyber operation, Endgame 2.0, aimed at destroying the underlying malware infrastructure — the downloaders that launch the chain of attacks. This is one of the largest strikes on the cybercrime industry.
During the operation, more than 300 servers were taken down and 650 domains were neutralized, and 20 international arrest warrants were issued for cyberattack suspects, Europol said in an official statement.
The attack targeted not the ransomware itself, but the first stage of the attack — Initial Access Malware, which opens the door to the victim’s systems. These include well-known tools such as Bumblebee, Qakbot, Trickbot, WarmCookie, DanaBot, Lactrodectus, and HijackLoader.
These botnets do not encrypt files directly — instead, they are used by criminal groups to gain access to corporate networks, then install malware and pass access to affiliates who are already deploying ransomware. So, hitting this infrastructure is considered to be an early kill chain disruption.
«We are targeting services that allow ransomware to be launched. This is a strategic advantage that we will develop,» said Europol Director Catherine de Bollier.
The searches also resulted in the seizure of over €3.5 million in cryptocurrency, and the total financial losses to cybercriminals across the two phases of Endgame exceeded €21 million. This is an unprecedented amount for anti-criminal cyber operations.
Overall, the actions were coordinated from a command center in The Hague, where operatives from North America and Europe acted synchronously.
Operation Endgame 2.0 demonstrated that the international law enforcement community can not only react to the consequences of attacks, but also act proactively, disrupting cybercriminal logistics before ransomware is launched. This significantly complicates the operations of ransomware groups and undermines the crime-as-a-service economy at the infrastructure level.
We also previously wrote about the first Endgame operation, which detained four cybercriminals from Ukraine and Armenia, took down over 100 servers around the world, and took over 2,000 domains under the control of law enforcement agencies.
