Over 100 malware servers shut down in 'largest ever' operation against botnets

International law enforcement agencies announced Thursday that they took several of the most influential malware families offline in the “largest ever operation against botnets.”

The malicious software includes droppers such as IcedID, SystemBC, Pikabot, SmokeLoader, Bumblebee and Trickbot, the authorities said. These malware strains are linked to at least 15 ransomware groups, including BlackBasta, Revil and Conti. 

Droppers are often spread through botnets, networks of infected devices quietly controlled by cybercriminals. Droppers used during the first stage of cyberattacks to install other tools, including viruses, ransomware or spyware. Droppers themselves do not usually cause direct damage to the system.

“All of them are now being used to deploy ransomware and are seen as the main threat in the infection chain,” Europol said in a statement. The takedowns started Monday, the agency said.

The malware families have different features that help cybercriminals carry out cyberattacks.

SmokeLoader, for example, was primarily used as a downloader to install additional malicious software onto systems. Pikabot allowed cybercriminals to gain initial access to infected computers to further deploy ransomware, steal data, and remotely seize control of the computer. IcedID is known for stealing people’s bank account credentials.

The Operation Endgame splash page that appeared on seized web domains. 

As a result of the law enforcement action, named Operation Endgame, hundreds of law enforcement officers across the world took down or disrupted 100 servers used by criminals and seized over 2,000 malicious domains, according to Europol.

In addition, one suspect was arrested in Armenia and three in Ukraine. Germany, which was also involved in the investigation, said it had issued arrest warrants against eight suspects, believed to be members of criminal organizations that distributed Trickbot and Smokeloader malware.

The police also discovered that one of the main suspects earned at least €69 million ($74.7 million) in cryptocurrency by renting out criminal infrastructure sites to deploy ransomware. In total, almost 100 crypto wallets containing more than €70 million were blocked at numerous crypto exchanges as a result of the operation.

According to Ukraine’s security service, SBU, the hackers extorted money from representatives of Western corporations totaling tens of millions of dollars.

To get into the victims’ networks and obtain confidential information, the attackers used spyware or phishing emails, the SBU said.

The law enforcement carried out searches in Armenia, the Netherlands, Portugal and Ukraine, obtaining “numerous pieces of evidence” which are currently being evaluated and may lead to follow-up investigations.

“Operation Endgame does not end today,” Europol said. “Suspects involved in these and other botnets, who have not yet been arrested, will be directly called to account for their actions.”

Australian security researcher Troy Hunt, who is also the co-founder of the website Have I Been Pwned, which indexes data from security breaches, said that the platform loaded 16.5 million email addresses and 13.5 million unique passwords provided by law enforcement agencies into the platform following botnet takedowns.

“As the data was provided to us by law enforcement for the public good, the breach is flagged as subscription-free, which means any organization that can prove control of the domain can search it,” Hunt said in his blog post.

In a separate operation this week, the U.S. government sanctioned operators of the 911 S5 botnet and arrested its alleged administrator.