Criminal Infrastructure Dismantled Again in International Ransomware Operation

Gebied: Driebergen

This week in Operation Endgame, key players in international cybercrime were taken down: one of the largest infostealers Rhadamanthys, the Remote Access Trojan (RAT) VenomRAT, and the Elysium botnet. By dismantling the criminal infrastructure, the entire business model of many cybercriminals was disrupted, says Stan Duijf, Head of Operations at the National Investigation and Intervention Unit. Hundreds of thousands of victims worldwide were infected by these types of malware. These actions are part of Operation Endgame, started in 2022, the largest international operation ever to combat ransomware and cybercrime worldwide.

In Operation Endgame, the High Tech Crime Team of the National Investigation and Intervention Unit and the National Public Prosecutors Office closely cooperate with authorities from Germany, Denmark, the United States, Australia, France, Belgium, the United Kingdom, and Canada – supported by Europol and Eurojust.

Arrest in Greece and Thousands of Servers Taken Down

In recent days, one of the main suspects behind VenomRAT was arrested in Greece, and 11 raids took place worldwide, including 9 in Dutch data centers, 1 in Germany, and 1 in Greece. Globally, 1,025 servers were taken down, including 83 in the Netherlands, and 20 domain names were seized. The main suspect behind the infostealer likely had access to more than 100,000 crypto wallets belonging to millions of victims, potentially worth millions of euros.

More Actions

Actions were also targeted at criminal services. Direct contact was made with users of these criminal services to inform them that they are committing criminal offenses and to urge them to share relevant information (regarding infostealers) via a special Telegram channel: t.me/operationendgame. The failing services of infostealers were exposed via the website www.operation-endgame.com.

Infostealers, Botnets, and RATs

Infostealers and botnets are among the most commonly used software worldwide to steal sensitive personal information (such as passwords and bank details) from a device. These services operate on a business model where a cybercriminal buys a botnet (a network of infected computers) to take control of these computers and collect their data on their own server. A RAT is software that allows logging in from one base computer and remotely managing all registered computers. Cybercriminals use this software to gain full control over a digital system.

Intensive International Cooperation

Ten countries and more than 30 national and international public and private parties join forces in this coordinated operation targeting botnets, infostealers, and RATs – everything cybercriminals want to use to victimize people. Law enforcement and the cybersecurity sector need each other to make and keep the digital world as safe as possible, continues Stan Duijf. That is why there is intensive cooperation with public and private parties. Nationally and internationally, partners such as Cryptolaemus, Shadowserver, RolR, Spycloud, Cymru, Proofpoint, Trellix, Crowdstrike, Lumen, Abuse.ch, HaveIBeenPwned, Spamhaus, and DIVD have made important contributions. In the Netherlands, cooperation with partners from the Melissa collaboration has continued. This is not the first, nor the last time actions take place within this operation.

Is Your Computer Infected?

Worldwide, more than 600,000 victims have been infected by these dismantled malware types, and tens of millions of victim data have been stolen. The Dutch police have secured and made inaccessible the stolen data of computer users (email addresses and login credentials). At www.politie.nl/checkjehack, you can check if your login details appear in the set and what to do if your computer is infected. The police recommend checking again in a few weeks, as new login details are continuously added to the police database.