A ransomware expert lauded a recent crackdown on cybercrooks in Africa that resulted in the decryption of six ransomware strains, smashing of links to malicious websites, and hundreds of arrests as major action.
“This may not be the same headline as taking down LockBit, but I think it is significant,” said Jon DiMaggio, chief security strategist, Analyst1 and co-author of an upcoming book on chasing ransomware gangs. “Because law enforcement can’t arrest Russian ransomware criminals, it’s smart to focus on areas of the world where we can make a difference and get people.”
He was commenting on the statement today by Interpol that in Operation Sentinel, which ran between October 27 and November 27 of this year, law enforcement agencies in 19 African countries arrested 574 suspects, decrypted six ransomware variants, took down 6,000 malicious links, cracked a business email compromise scam that almost cost a major petroleum company $7.9 million, and recovered approximately $3 million.
Interpol didn’t identify the ransomware strains that were decrypted. DiMaggio suspects they were modified variants of strains available on dark web sites.
Important to disrupt gangs before they expand
In describing the operation, Interpol cited efforts in multiple countries. In Ghana, it said that an unnamed financial institution, which saw 100TB of its data encrypted, was one of the victims. Ghanaian authorities conducted advanced malware analysis that led to the creation of a decryption tool and the recovery of nearly 30TB of the data.
Ghanaian authorities also dismantled a major cyber-fraud network operating across Ghana and Nigeria that defrauded more than 200 victims of over $400,000. Using professionally designed websites and mobile apps, the scammers mimicked well-known fast-food brands, collecting payments but never delivering orders. Ten suspects were arrested in Ghana, and over 100 digital devices seized and 30 fraudulent servers taken offline.
In Benin, 43 malicious domains were taken down, and 4,318 social media accounts linked to extortion schemes and scams were shut down, leading to 106 arrests. And in Cameroon, law enforcement reacted quickly after two victims reported a scam involving an online vehicle sales platform. The phishing campaign was traced to a compromised server, and an emergency bank freeze was issued within hours.
A ‘very good thing’
The fact that the same operation broke ransomware operations and a business email compromise (BEC) operation is “unique,” said DiMaggio, because most people think of Africa as the source of BEC and fraud scams.
The fact that authorities are working to disrupt ransomware operations in Africa before they grow to the size of those run by gangs in other areas of the world “is a very good thing,” he said. Africa is “a few steps behind where the Russian ransomware scene is,” so targeting gangs there now before they grow bigger is important, he said.
The breaking of a BEC operation could also be significant, he added, because, in aggregate, crooks around the world pull in more money from business email scams than from ransomware, DiMaggio said.
Related content: RansomHouse strain upgraded
Operation Sentinel is the second major anti-cybercrime operation in Africa this year. In August, Interpol announced the second stage of Operation Serengeti that saw the arrest of 1,209 people, the dismantling of over 11,400 malicious IT infrastructures, and the recovery of just over $97 million. This operation also dealt with high-impact cybercrimes including ransomware, online scams, and BEC scams.
Other enforcement efforts
These operations were among significant moves against threat actors globally in 2025.
Operation Endgame, an ongoing international anti-botnet effort coordinated by Europol, went after threat actors subscribing to the Smokeloader pay-per-install botnet, took down some 300 servers behind the malware used to distribute ransomware, and, in November, took down or disrupted 1,025 servers including the Elysium botnet, the enabler of the Rhadamanthys infostealer and VenomRAT remote access trojan.
Separately, authorities in the US, Finland, and the Netherlands teamed up to take down AVCheck, one of the largest counter-antivirus services used by criminals around the world.
As well, the Five Eyes intelligence sharing group, consisting of the US, the UK, Canada, Australia, and New Zealand, accused China of supporting threat actors who are attacking critical infrastructure in a number of countries, and Microsoft got a court order allowing it to seize and block 2,300 domains behind the distribution of another infostealer, Lumma Stealer.
Related content: Create a ransomware playbook that works
An uphill battle
Ed Dubrovsky, chief operating officer of incident response firm Cypfer, said the breaking of six ransomware strains is good news. But, he added, the cybercrime industry is more than ever focused on data theft as opposed to data encryption, and in some cases, data destruction after theft.
“Law enforcement action against cybercrime is of critical importance,” he added. “Without some level of deterrence, and given the upside from a financial [perspective] and other motives, cybercrime would have been much more prevalent and impactful.
“With that said, cybercrime is still a multibillion dollar market, and law enforcement suffers from limited resources and proper ongoing training. Some countries, such as the US, are far ahead of others from a sophistication and effectiveness perspective … Law enforcement is effective, partially, and in very specific areas of cybercrime, and in other areas, the effectiveness is still a work in progress.”
Some threat actors have great IT expertise, he added, and are taking advantage of AI. “Therefore, I believe law enforcement is achieving great impact in reducing cybercrime while also fighting an uphill battle.”
Attackers likely to expand efforts worldwide
Christian Leuprecht, a Canadian university professor and expert on national security, cybercrime, and money laundering, noted Africa’s population is set to double in the next 25 years, and it has the youngest population structure of any continent. The combination of a highly innovative and increasingly sophisticated workforce in some of the most politically, economically, and socially unsustainable countries in the world will be likely to generate a host of sophisticated local threat actors vying for economic survival and prosperity, with a potentially global reach.
For now, he said, they are going after local targets, likely because they’re less resilient to attack and exploitation. But as local firms harden their cyber defenses, these African-based threat actors are bound to expand their operations globally.
More, better, and proactive local disruption and enforcement capacity against these threat actors is critical to prevent them from becoming global in scale, he said.
“The scale and sophistication of cyberattacks across Africa are accelerating, especially against critical sectors like finance and energy,” Neal Jetton, Interpol’s director of cybercrime, said in a statement. “The outcomes from Operation Sentinel reflect the commitment of African law enforcement agencies, working in close coordination with international partners. Their actions have successfully protected livelihoods, secured sensitive personal data, and preserved critical infrastructure.”
Operation Sentinel not only used the resources of law enforcement agencies, but also was assisted by efforts from cybersecurity companies including Team Cymru, The Shadowserver Foundation, Trend Micro, TRM Labs, and Uppsala Security.