Operation Endgame

Operation Endgame—the largest ever battering for botnets

Europol has published the results of Operation Endgame, a campaign aimed at the infrastructure spreading IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot.

Lately, it seems that law enforcement agencies are having a lot more fun celebrating their victories against cybercriminals.

This time it was the turn of Europol, which announced “Season one” of Operation Endgame, a campaign against botnets that’s urging criminals to “Think about (y)our next move.” The coordinated actions of multiple agencies is the biggest ever operation against botnets and includes four arrests, 100 servers taken over, and over 2,000 domains seized.

This domain has been seized notification
Message left by law enforcement on one of the seized domains

According to the agency, between 27-29 May 2024, Operation Endgame targeted botnets used to spread droppers including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot.

Droppers are usually the first stage in a malware attack. They are small, hard to detect, and once in place they can help bypass security software and initiate further malicious infections. They often deploy living-off-the-land (LOTL) techniques to map the environment and prepare it for data theft and ransomware deployment.

By taking down the criminal infrastructures and freezing illegal proceeds, the cooperating agencies have put a dent in the global dropper ecosystem, which feeds into the ransomware ecosystem as well.

Droppers can enter systems through various channels, such as email attachments and compromised websites, but they can also be bundled with legitimate software.

This is all good news, but law enforcement agencies announcing their victories is nothing new, you might say. Maybe, but the style of it is. The recent take-down of LockBit set the tone with some serious trolling, and showed that a bit of flair goes a long way when it comes to getting headlines.

In the case of Operation Endgame, Europol have created a dedicated website directed at their criminal targets.

The Operation Endgame website home page
The Operation Endgame website

The website warns the criminals that this is just stage one of the operation, and they need to reconsider their actions.

No-one is untraceable, not even online. You always leave traces, as was again proven in this operation.

It also hints that this is just the beginning, saying “some results can be found here, others will come to you in different and unexpected ways,” and encouraging them to come forward, while indicating that others have done the same before them. Obviously, the hope is that accomplices will get nervous and come forward with information that can lead to more take-downs and arrests.

We look forward to the next seasons of Operation Endgame. I’ve got my popcorn ready and I’m in binge-watching mode now.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.