Operation Endgame disrupts Rhadamanthys information-stealing malware

International cybercrime-fighting agencies, co-ordinated by Europol, took down over 1000 servers and seized 20 domains earlier this month as part of Operation Endgame 3.0.

Their target? Three major malware platforms: the infostealer known as Rhadamanthys, the VenomRAT remote access trojan, and the Elysium botnet.

According to Europol's press release, the dismantled cybercriminal infrastructure "consisted of hundreds of thousands of infected computers containing several million stolen credentials," with "many of the victims...not aware of the infection of their systems."

Europol claims that the main suspect behind the Rhadamanthys infostealer is thought to have had access to over 100,000 cryptocurrency wallets belonging to victims, potentially worth millions of Euros. Anyone who wishes to check that their computers have not been compromised are advised to run a search against their email address, either via the Dutch national police website or HaveIBeenPwned.

The takedown of the cybercriminal infrastructure involved over 30 national and private-sector partners — including law-enforcement agencies from Australia, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands and the United States — as well as cybersecurity firms including Bitdefender.

Aside from the disruption to the criminal operation, the action saw 11 searches conducted to gather information and collect evidence, and at least one arrest - the suspected creator and seller of VenomRAT was detained in Greece.

It's not been all work and no play for the law enforcement agencies engaged in Operation Endgame's objective of disrupting cybercriminal activity. On the initiative's official website it has been publishing "seasons" of videos, which appear to be designed to taunt the threat actors behind the likes of the Rhadamanthys infostealer, and warn that they will soon be brought to justice.

The website shares the names and photographs of some of Europe's most wanted cybercriminals, and provides contact details for anybody who wishes to share information that could lead to their arrest and apprehension.

By targeting those behind information-stealing malware, remote access trojans, and botnets, the authorities are hoping to disupt the underlying cybercriminal infrastructure which helps enable headline-grabbing ransomware attacks.

A takedown like this means that fewer stolen passwords are being shared with ransomware operators, and more victims may learn that their computers have been compromised (and hopefully put better security in place.)

This does not just help European computer users, but everyone connected to the internet.

Although this latest "season" of success for Operation Endgame is to be applauded, it is important to recognise that disrupting a cybercriminal operation is not the same as eradicating it. Criminals will rebuild their services and infrastructure. New information stealers are likely to emerge in the wake of Rhadamanthys, and variants of VenomRAT may resurface under a new name.

Now is not the time for a false sense of security, but instead to remain vigilant, and ensure that strong defences are in place to fend off future attacks.