Ransomware Kill Chain Obliterated by ENDGAME

Cybercriminals around the world have suffered a major disruption after law enforcement and judicial authorities, coordinated by Europol and Eurojust, dismantled key infrastructure behind the malware used to launch ransomware attacks. From 19 to 22 May, authorities took down some 300 servers worldwide, neutralised 650 domains, and issued international arrest warrants against 20 targets, dealing a direct blow to the ransomware kill chain.

In addition, EUR 3.5 million in cryptocurrency was seized during the action week, bringing the total amount seized during the Operation Endgame to more than EUR 21.2 million.

This latest phase of Operation ENDGAME follows on from the largest-ever international action against botnets in May 2024. It targeted new malware variants and successor groups that re-emerged after last year’s takedowns, reinforcing law enforcement’s capacity to adapt and strike back — even as cybercriminals retool and reorganise.

The operation focused on initial access malware — the tools cybercriminals use to infiltrate systems unnoticed before deploying ransomware. By disabling these entry points, investigators have struck at the very start of the cyberattack chain, damaging the entire cybercrime-as-a-service ecosystem.

The following malware strains were neutralised during the action:

Bumblebee

Lactrodectus

Qakbot

Hijackloader

DanaBot

Trickbot

Warmcookie

These variants are commonly offered as a service to other cybercriminals and are used to pave the way for large-scale ransomware attacks. In addition, international arrest warrants were issued against 20 key actors believed to be providing or operating initial access services to ransomware operators.

https://www.europol.europa .eu/media-press/newsroom/news/operation-endgame-strikes-again-ransomware-kill-chain-broken-its-source