A coordinated law enforcement takedown across seven countries has struck at the infrastructure behind major ransomware operations.
From May 19 to 22, authorities from seven countries seized 300 servers and shut down 650 domains in a sweeping global action targeting the backbone of ransomware delivery. The operation, coordinated through Europol and Eurojust under the name Operation Endgame, also led to international arrest warrants for 20 suspects and the seizure of €3.5 million in cryptocurrency, bringing the total seized during Endgame to €21.2 million.
The operation focused on malware strains such as Bumblebee, Qakbot, DanaBot, Trickbot, Warmcookie, and Lactrodectus. These tools are commonly sold as services to other cybercriminals, enabling ransomware attacks by providing initial access to victims’ systems.
Operation Endgame is a multi-phase effort aimed at dismantling cybercrime infrastructure rather than individual attacks. The malware loaders targeted in this wave are foundational to many ransomware operations. By disrupting these tools, law enforcement seeks to break what Europol calls the ‘kill chain’, the sequence of steps used to execute a ransomware attack.
DanaBot was the main focus. On May 23, the U.S. Department of Justice unsealed indictments against 16 individuals allegedly involved in operating the DanaBot botnet, including eight Russian nationals. The malware, active since 2018, operates as a malware-as-a-service (MaaS), rented to clients for thousands of dollars monthly. It enables full system control, banking session hijacking, data theft, and surveillance. A second version was reportedly used for cyberespionage targeting military, diplomatic, and law enforcement organizations in North America and Europe.
DanaBot alone is believed to have infected over 300,000 computers worldwide, causing at least $50 million in damages.
Europol Executive Director Catherine De Bolle stated that the operation demonstrated law enforcement’s ability to “adapt and strike again” as cybercriminals retool. “By disrupting the services criminals rely on to deploy ransomware, we are breaking the kill chain at its source,” she said.
The U.S. Justice Department noted that DanaBot’s espionage version was used to steal data from high-value targets and reroute it to different command servers, distinct from the fraud-focused version of the botnet.
Operation Endgame reflects a shift in how international law enforcement agencies are addressing ransomware by focusing on the infrastructure behind malware distribution rather than targeting individual actors. The coordinated takedown of services tied to malware loaders tries to interrupt ransomware campaigns before they can begin.
Past efforts, such as actions against Emotet and Qakbot, followed a similar strategy, but Operation Endgame appears to mark a more sustained effort to disrupt the broader ransomware ecosystem. While these actions may reduce activity in the short term, experts caution that strong financial incentives and ongoing demand could lead to the development of replacement tools unless wider deterrent measures are adopted.
Malware loaders are tools that stealthily deliver additional malware onto a victim’s system. They are often the first step in a ransomware attack, making them a key target for prevention efforts.
Rather than focusing on one group or botnet, Operation Endgame targets the broader infrastructure used across many ransomware campaigns, including servers, domains, and financial assets.
MaaS platforms like DanaBot offer cybercriminals access to pre-built malware and support services. Clients pay monthly fees to deploy attacks without needing to develop their own code.
They can disrupt ongoing operations and slow future attacks, but complete prevention depends on continued international cooperation, stronger cybersecurity practices, and legal accountability.
Organizations should continue to enforce strong access controls, patch vulnerabilities quickly, monitor for unusual activity, and use multi-layered security to detect and contain threats early.