An international law enforcement operation code-named ‘Synergia’ has taken down over 1,300 command and control servers used in ransomware, phishing, and malware campaigns.
Command and control servers (C2) are devices operated by threat actors to control malware used in their attacks and to collect information sent from infected devices.
These servers allow the threat actors to push down additional payloads or commands to execute on infected devices, making them integral architecture in many attacks.
For some malware, taking a command and control server offline prevents further malicious activity, as the threat actors cannot send or receive data from the infected devices.
The Synergia operation identified and took down command and control servers between September and November 2023, with 60 law enforcement agencies from 55 countries participating in the operation.
As a result of this action, the police identified 1,300 C2 server IP addresses linked to ransomware, malware, and phishing campaigns.
Interpol says roughly 70% of the command and control (C2) servers identified during the operation have been taken down, constituting a significant disruption for cybercriminals.
Most of those servers were located in Europe, while a notable number were also found in Singapore and Hong Kong. In Africa, most activity occurred in South Sudan and Zimbabwe, and in the Americas, malware ops were found and dismantled in Bolivia.
Additionally, as a result of Synergia, law enforcement authorities detained 31 individuals who are believed to be linked to cybercrime operations and identified another 70 suspects. The authorities also conducted 30 house searches and confiscated items that can help subsequent investigations.
“The results of this operation, achieved through the collective efforts of multiple countries and partners, show our unwavering commitment to safeguarding the digital space,” stated Bernardo Pillot, Interpol’s Cybercrime Assistant Director.
“By dismantling the infrastructure behind phishing, banking malware, and ransomware attacks, we are one step closer to protecting our digital ecosystems and a safer, more secure online experience for all.”
Cyber-intelligence firm Group-IB, which participated in the operation by feeding investigations with crucial data, reports that over 1,900 IP addresses associated with ransomware, banking trojan, and malware operations were identified this time.
Group-IB said that the remaining 30% of the servers that haven’t been taken offline yet are currently under investigation for their role in cybercrime operations.
Other cyberintelligence partners who participated in Synergia are Kaspersky, Trend Micro, Shadowserver, and Team Cymru.
Taking down C2 servers is a significant step in disrupting cybercrime activities, as they are crucial components in botnet operations, data exfiltration, payload fetching, attack coordination, remote command execution, and more.
Also, seizing servers can often help gather intelligence that can be pivotal in continuing investigations on specific cybercrime operations.
However, C2 takedowns are not always effective. For example, peer-to-peer botnets designed to be resilient can quickly recover from such disruptions, while ransomware actors can switch to using backup domains and servers.