Police authorities have once again dismantled the infrastructure behind two major malware vendors. This time, it concerns the servers behind the Redline and Meta ransomware vendors. The action dealt a blow to cyber criminals who use this malware to capture personal data. However, real success would be in making actual arrests. These have not been made yet or remain undisclosed.
The police action took place under the banner of Operation Magnus, a long-running, international police campaign in which several European police agencies cooperate with (among others) the Australian police, the FBI, and NCIS, the criminal investigation department of the U.S. Navy.
The announcement method is similar to that of previous campaigns, such as Operation Endgame and the blow dealt to the ransomware group LockBit. In a promotional video, the police poke fun at the criminals, similar to the mocking messages that hacker collectives themselves often spread.
In this video, the forces claim to have gained ‘full access’ to Redline and Meta servers, including critical data such as user names, passwords, IP addresses, and source code. This means the services have acquired a large amount of data on potential buyers and distributors of the malware.
During the operation, several Telegram groups were taken off the air, which served as a place to market the malware. ‘Until recently, Telegram was a service where criminals thought themselves untouchable and anonymous,’ reads a press release by the Dutch police. ‘This action has shown that this is no longer the case.’ Telegram co-founder Pavel Durov was arrested in Paris earlier this year because his app allegedly allowed criminal activities on the platform.
Scaring criminals
The main purpose of the video is to scare users of the malware –whose data may now be in the hands of the police– about legal consequences. Those users are told they have acquired ‘VIP status’, which stands for Very Important to the Police. A host of aliases then passes along the bottom of the screen. “We look forward to seeing you soon,” reads the final goodbye. Similar PR tactics were used by the police in the LockBit campaign earlier this year.
Redline and Meta are widely used in the digital underworld as malware-as-a-service (MaaS). Redline has been in use at least since 2020 and is popular with Scattered Spider. Meta has been around since 2022. According to cybersecurity firm Acronis, both types of software cost around 150 dollars on criminal marketplaces.
Software is nearly identical
Criminals who want all the features must fork over more cash: the fully featured version of the rogue software costs around 800 to 1,000 dollars. Both scan infected devices for valuable credentials stored by the user in the browser or e-mail client. Those are exfiltrated and sold on underground marketplaces. This can lead to follow-up attacks such as ransomware. According to the police video, the two pieces of software are virtually the same.
Incidentally, an operation like this can only be called a success if there are actual arrests. After all, the data captured by the police contains criminals’ aliases or user names. New software is always available, and backup servers are easy to set up, so just dismantling infrastructure is in itself not eneough.
Also read: LockBit returns with updated encryptors and new servers