What happened? International law enforcement dismantled major ransomware infrastructure between May 19-22, 2025, taking down 300 servers, neutralising 650 domains, and issuing arrest warrants for 20 cybercriminals targeting small businesses.
Key Operation ENDGAME Results:
• 300 servers taken down worldwide
• 650 domains neutralised
• €3.5 million in cryptocurrency seized
• 20 arrest warrants issued
• 6 major malware strains disrupted
Which Malware Was Stopped?
Operation ENDGAME successfully neutralised six ransomware delivery systems commonly used against SMEs:
• Bumblebee
• Lactrodectus
• Qakbot
• DanaBot
• Trickbot
• Warmcookie
What Is Operation ENDGAME?
Operation ENDGAME is an ongoing international cybercrime operation targeting “initial access malware” – the tools criminals use to break into business systems before launching ransomware attacks. This phase, coordinated by Europol and Eurojust, involved law enforcement from Canada, Denmark, France, Germany, Netherlands, UK, and USA.
Why this matters for SMEs: These malware strains operate as “cybercrime-as-a-service,” where criminal groups rent attack tools to target businesses. Small and medium enterprises are prime targets due to typically having fewer cybersecurity defences.
When Did This Happen?
May 19-22, 2025: International law enforcement conducted the latest phase of Operation ENDGAME
May 2024: Previous largest-ever botnet takedown operation
May 23, 2025: 18 suspects added to EU Most Wanted list
June 11, 2025: Europol IOCTA 2025 report focusing on access brokers (upcoming)
Who Was Arrested?
Twenty key cybercriminals received international arrest warrants. German authorities added 18 suspects to the EU Most Wanted list on May 23, 2025. These individuals allegedly provided or operated tools enabling ransomware attacks against businesses worldwide.
How Does This Protect Small Businesses?
Breaking the attack chain: By targeting initial access malware, authorities disrupted the first stage of ransomware attacks before they reach businesses.
Cybercrime-as-a-service disruption: The operation damaged the criminal marketplace where attack tools are rented to target SMEs.
Reduced attack volume: With 300 servers and 650 domains offline, fewer attack vectors are available to criminals.
What Should SMEs Do Now?
While this operation represents significant progress, cybersecurity experts warn businesses should not become complacent:
Immediate actions:
• Maintain regular software updates
• Conduct employee cybersecurity training
• Implement robust backup procedures
• Monitor network access points
Why vigilance remains critical: Criminal groups typically rebuild infrastructure quickly after takedowns. The cybercrime-as-a-service model means new operators often replace disrupted services.
Looking Ahead
Europol’s upcoming Internet Organised Crime Threat Assessment (IOCTA) 2025, scheduled for publication on 11 June, will place particular focus on initial access brokers – the criminals who specialise in gaining entry to business networks. This emphasis underscores the continued importance of protecting against these early-stage intrusions.
Operation Endgame is ongoing, with follow-up actions planned and coordinated through the international law enforcement partnership’s dedicated website.
The success of this operation sends a clear message to cybercriminals that law enforcement agencies are increasingly sophisticated in their approach to dismantling cybercrime infrastructure, offering hope to businesses worldwide that continue to face these evolving threats.
