Ransomware Infrastructure Dismantled in Global Operation

Jonathan Greig reports in The Record that a sweeping international operation dubbed “Operation Endgame” dismantled key ransomware infrastructure behind global cyberattacks, including 300 servers and 650 domains. European and North American law enforcement agencies coordinated with major tech companies in the takedown.

US prosecutors charged 16 individuals allegedly tied to the gang that developed DanaBot malware (United States of America v. Aleksandr Stepanov, Danil Khalitov, Aleksey Efremov, et al.), which infected over 300,000 devices and enabled fraud and ransomware damage exceeding $50 million.

The operation, supported by cybersecurity leaders such as CrowdStrike, Google, and Amazon, resulted in the seizure of $3.5 million and the issuance of nearly two dozen arrest warrants.

DanaBot, a sophisticated malware strain discovered in 2018, was primarily disseminated through phishing emails. It allowed attackers to take full control of compromised devices, stealing sensitive data and enabling large-scale ransomware attacks.

Operated from Russia with users across multiple countries, DanaBot generated significant monthly revenue by leasing access to its botnet and providing customer support.

Prosecutors allege the botnet also targeted military and government systems in North America and Europe, raising serious national security concerns.

Operation Endgame focused on neutralizing “initial access malware” (tools used by attackers to penetrate systems before launching ransomware campaigns).

Beyond DanaBot, authorities also disrupted other malware strains, including Qakbot, Trickbot, and Bumblebee. These tools were commonly offered as services to cybercriminal groups and formed the backbone of many ransomware operations.

Arrest warrants were issued for 20 individuals suspected of facilitating the use of these tools.

Legal teams advising clients on cybersecurity or representing victims of breaches must remain aware of the evolving threat landscape. Cybercriminal groups are becoming increasingly sophisticated and collaborative, utilizing tools that easily bypass traditional defenses.

Law firms and legal departments should ensure that their internal systems and client data are protected from intrusions using ransomware infrastructure.