Law enforcement across Europe dismantled Thursday a cybercrime organization that earned millions through botnets, whose purpose was to create a network of infected computers from which to deploy malware and ransomware against its targets.

As part of Operation Endgame between May 27-29, police arrested four high value targets and took down several droppers—software used to install viruses, ransomware or spyware—the group deployed against its victims.

“This is the largest ever operation against botnets, which play a major role in the deployment of ransomware,” Europol said. The operation was a near continent-wide effort and included law enforcement and cybercrime specialists across 13 countries, in addition to several private security companies.

Droppers are deployed as a first strike tool in malware attacks; they allow hackers to bypass installed security measures and install harmful software of their own. While usually benign to computers themselves, droppers nonetheless play a role in causing serious damage to affected systems.

Specific dropper programs named by Europol include SystemBC, used to facilitate anonymous communication between infected systems and the cybercriminals’ command-and-control servers; Bumblebee, used to deploy phishing campaigns; and IcedID, used as a banking trojan software tool to steal its victims’ financial data.

Other droppers served various additional purposes such as deploying ransomware and enabling remote access to infected systems.

What makes them so dangerous is their evasion capabilities; they can obfuscate their own code to impersonate legitimate software and operate on an infected computer without saving themselves to the local hard drive, thereby making it difficult for security software to locate and delete them.

Once its mission is complete, the dropper can then delete itself and leave the malware installed to run its intended malicious activities.

Police carried out 16 raids in four countries as part of Operation Endgame against the hackers; four arrests were made in Armenia and Ukraine, while more than 100 servers and 2,000 domains were taken down in 10 countries across Europe and North America.

One of the primary suspects reportedly earned no less than 69 millions euros (US$74.8 million) in ill-gotten gains by renting out criminal infrastructure sites to deploy ransomware, Europol said. Their assets are under surveillance and suspect to seizure at the investigators’ discretion.

Eight fugitives linked to the cybercrime ring are still said to be unaccounted for; Germany has issued outstanding warrants in their names and, as of May 30, they have been added to Europe’s Most Wanted list.

(Photo: Europol, License)