Law enforcement authorities in the UK, the US and five other countries have taken down some 300 servers and seized 650 internet domains and 3.5 million euros (£2.9m) in cryptocurrency in a Europol-coordinated action targeting ransomware gangs.

The action, part of the ongoing Operation Endgame that targeted gangs’ botnet infrastructure last year, specifically took aim at groups that provide the tools to gain initial access to organisations’ networks, known as ransomware-as-a-service providers.

Notorious malware strains such as Trickbot and Danabot were neutralised, Europol said.

Initial access

Other malware targeted included Bumblebee, Lactrodectus, Qakbot, Hijackloader and Warmcookie.

“This new phase demonstrates law enforcement’s ability to adapt and strike again, even as cybercriminals retool and reorganise,” said Europol executive director Catherine De Bolle.

“By disrupting the services criminals rely on to deploy ransomware, we are breaking the kill chain at its source.”

Authorities issued international arrest warrants against 20 “key actors” believed to be providing or operating initial access services to ransomware gangs.

German authorities published 18 of the suspects on the EU Most Wanted list on Friday, with many being Russian citizens or Russian-language speakers.

Authorities from Canada, Denmark, France, Germany and the Netherlands also took part in the action.

Last year’s operation was believed to have seriously disrupted many ransomware operations, although they soon recovered to reach record-breaking levels in 2024.

Retail attacks

The recent hacks on Marks & Spencer, the Co-op and Harrods are believed to have been carried out by a gang of English-speaking youths called Scattered Spider working with Russian-speaking ransomware initial access providers.

The operation, which took place from 19 to 22 May, brings the total cryptocurrency seized by Operation Endgame to 21.2m euros.

Europol provided coordination, operational and analytical support and cryptocurrency tracing and facilitated real-time information exchange between the partners, including setting up a command post at Europol headquarters in the Hague where investigators from around the world worked with Europol’s European Cybercrime Centre and its Joint Cybercrime Action Taskforce.

Eurojust provided support on judicial cooperation, Europol said.

In the action last May police in Europe and the US coordinated what authorities said was the largest-ever action against botnets used to place malware such as ransomware on users’ and organisations’ systems.

That action targeted the infrastructure of “dropper” software including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot.