Europol together with partners from across the globe today announces a landmark blow to cybercriminal networks as part of Operation Endgame, a sweeping international operation targeting the criminal infrastructure behind ransomware and malware like SocGholish, Amadey, and StealC. In coordinated actions over the past two weeks, key components of these malicious toolkits were dismantled as part of a public-private effort.

This included law enforcement from Canada, Denmark, Germany, the Netherlands, the United Kingdom, the United States, the US software company Microsoft and other private partners, with the international activity coordinated by Europol and Eurojust. The main common goal was to disrupt the "assembly lines" cybercriminals use to launch ransomware, financial fraud, and attacks on critical infrastructure.

Crypto assets of criminal origin currently valued at over EUR 41 million (USD 47 million) were identified, flagged, and thereby restricted from use. Moreover, as many as 27 million stolen login credentials have been recovered as part of this operation.

During this action, 326 servers and 142 domains were actioned by law enforcement and the private sector partners, severely crippling the malware’s distribution network. By taking down these tools simultaneously, the collaboration between law enforcement and private parties has increased friction for cybercriminals, making it harder for attacks to succeed, spread, or recover.

“Cybercrime-as-a-service” business model

The neutralised malware variants were offered as a service (“cybercrime-as-a-service”), with other cybercriminals using them as a tool for the initial infection of targeted systems. They subsequently served as a starting point for further criminal activities, such as installing ransomware for digital extortion or fraudulent use of data.

• The malware SocGholish (a so-called dropper/loader) allowed unauthorised parties to gain access to computer systems by distributing fake browser updates via compromised websites. Instead of the update, internet users inadvertently installed the malware. This approach, which has caused countless victims, is primarily done by hacking websites built with WordPress and infecting them with malware. The unauthorised access was then exploited for further crimes, such as installing ransomware for the purpose of digital extortion.
• The malware StealC (a so-called stealer with dropper function), which was spread through multiple attack vectors, was primarily designed to extract sensitive information such as passwords, stored access data and digital identities from compromised computers and to make them available for subsequent illicit use, especially data trading and fraudulent use.
• The malware Amadey (a so-called dropper/loader) was mainly disseminated through phishing campaigns. It thus served as the first link in a larger attack chain and was capable of introducing additional malware into compromised systems. The malware also had stealer capabilities and could therefore retrieve sensitive data.

A blow to cybercriminal infrastructure

During the action against SocGholish, 14 971 infected websites - including those of restaurants, auto repair shops, and other everyday services - were remediated. SocGholish is linked to the Russian cyber?criminal group Evil Corp. This group has previously been responsible for Zeus and Dridex malware and is also associated with several large?scale ransomware and money?laundering operations.