Police raids co-ordinated by the European Union’s justice agency have taken down computer networks responsible for spreading ransomware via infected emails, in what they called the biggest ever international operation against the lucrative form of cybercrime.
The European Union’s judicial co-operation agency, Eurojust, said on Thursday that police arrested four “high value” suspects, took down more than 100 servers and seized control of some 2,000 internet domains.
The huge operation this week involved co-ordinated raids in Germany, the Netherlands, France, Denmark, Ukraine, the United States and United Kingdom, Eurojust said.
It followed a massive takedown in 2021 of a botnet called Emotet, Eurojust said. A botnet is a network of hijacked computers typically used for malicious activity.
Dutch police said in a statement that the financial damage inflicted by the network on governments, companies and individual users is estimated to run to hundreds of millions of euros.
“Millions of people are also victims because their systems were infected, making them part of these botnets,” the Dutch statement said.
Eurojust said one of the main suspects earned cryptocurrency worth at least €69 million by renting out criminal infrastructure for spreading ransomware.
The operation targeted malware “droppers” called IcedID, Pikabot, Smokeloader, Bumblebee and Trickbot. A dropper is malicious software usually spread in emails containing infected links or attachments such as shipping invoices or order forms.
“This operation shows that you always leave tracks, nobody is unfindable, even online,” Stan Duijf, of the Dutch National Police, said in a video statement.
The deputy head of Germany’s Federal Criminal Police Office, Martina Link, described it as “the biggest international cyber police operation so far”.
“Thanks to intensive international co-operation, it was possible to render six of the biggest malware families harmless,” she said in a statement.
German authorities are investigating seven people on suspicion of being members of a criminal organisation whose aim was to spread the Trickbot malware. An eighth person is suspected of being one of the ringleaders of the group behind Smokeloader.