Ransomware hackers charged, infrastructure dismantled in international law enforcement operation

European and North American law enforcement agencies disrupted key infrastructure this week used to launch ransomware attacks as part of an ongoing effort dubbed “Operation Endgame.”

Europol said 300 servers and 650 domains were taken down worldwide, while about $3.5 million was seized during raids throughout the week. Multiple arrest warrants were issued for nearly two dozen people allegedly involved in the ransomware industry.

As part of the operation, prosecutors in the U.S. charged 16 alleged members of a cybercriminal organization that developed the DanaBot malware. The Justice Department said the malware was used to infect more than 300,000 computers and facilitated ransomware attacks as well as fraud amounting to at least $50 million worth of damage. 

Multiple tech companies and cybersecurity firms like CrowdStrike, Amazon, ESET, Google, ProofPoint, ZScaler, PayPal and more assisted with Operation Endgame. Europol said the latest phase of the operation is targeting new malware variants and successor groups that re-emerged after last year’s takedowns — which they called the “largest-ever international action against botnets.”

The phase is centered on initial access malware, which cybercriminals use to gain a foothold into a company’s systems before launching ransomware attacks. 

In addition to targeting the infrastructure of DanaBot, law enforcement agencies said they “neutralized” new versions of Bumblebee, Lactrodectus, Qakbot, Hijackloader, Trickbot and Warmcookie. 

“These variants are commonly offered as a service to other cybercriminals and are used to pave the way for large-scale ransomware attacks,” Europol said. “In addition, international arrest warrants were issued against 20 key actors believed to be providing or operating initial access services to ransomware operators.”

Several of the suspects will soon be on the EU’s most wanted list.

DanaBot dismantling

The alleged DanaBot hackers, including 39-year-old Aleksandr Stepanov and 34-year-old Artem Aleksandrovich Kalinkin, both of whom live in Novosibirsk, Russia, each face a litany of charges that include wire fraud, identity theft, damage to a computer, wiretapping and more. Kalinkin is facing up to 72 years in prison if convicted while Stepanov is facing five years. 

Court documents said that while DanaBot developers and many affiliates are located in Russia, some users are located in countries like Poland and Thailand. An FBI official said he has been investigating DanaBot since 2019. 

DanaBot, first discovered by cybersecurity firm Proofpoint in 2018, was spread through phishing emails that had malicious attachments or links. Once infected, a compromised device became part of a botnet that allowed the operators to remotely control the devices. 

The administrators of DanaBot would then lease access to the botnet for a fee and offer support to customers, typically bringing in $3,000 to $4,000 each month. DanaBot could also be used to steal data, hijack banking sessions, access browser history, send account credentials and more. 

The powerful malware also allowed administrators and users to record victims, track their keystrokes and more. The Justice Department said it has evidence that DanaBot was used as a precursor to ransomware attacks. 

According to the DOJ, the administrators also operated a specialized version of the botnet that focused on attacking computers used by military, diplomatic and government entities. This was “allegedly used to target diplomats, law enforcement personnel, and members of the military in North America, and Europe,” prosecutors said.

Department of Defense official Kenneth DeChellis said in a statement that the malware “was a clear threat to the Department of Defense and our partners.”

Defense Department investigators conducted seizures and takedowns of DanaBot command and control servers, including multiple located in the United States. 

U.S. officials said they are also working with the U.K.-based Shadowserver Foundation to notify other DanaBot victims.