This week, the U.S. Justice Department announced that, along with the Federal Bureau of Investigation, it has dismantled “Qakbot” malware that infected 700,000 computers. Many of these computers were in the U.S.
“An international partnership led by the Justice Department and the FBI has resulted in the dismantling of Qakbot, one of the most notorious botnets ever, responsible for massive losses to victims around the world,” said United States Attorney Martin Estrada.
This partnership included actions in the U.S., France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia, per a Justice Department press release. Now, the malicious Qakbot code is being deleted from victim computers. Additionally, the Justice Department announced the seizure of more than $8.6 million in cryptocurrency in illicit profits related to Qakbot.
Estrada explained that Qakbot was the “malware of choice” for some of the “most infamous ransomware gangs, and that the seized cryptocurrency will be made available to victims. Groups that have utilized it include Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta, according to the DOJ.
“These ransomware groups caused significant harm to businesses, healthcare providers, and government agencies all over the world, including to a power engineering firm based in Illinois; financial services organizations based in Alabama, Kansas, and Maryland; a defense manufacturer based in Maryland; and a food distribution company in Southern California,” the department said. “Investigators have found evidence that, between October 2021 and April 2023, Qakbot administrators received fees corresponding to approximately $58 million in ransoms paid by victims.”
Qakbot is also known as “Qbot and “Pinkslipbot” and it spreads to computers via spam email message with malicious attachments and hyperlinks. Once it infects a victim’s computer the malware can deliver additional malware and ransomware into devices.
All of the computers with the Qakbot malware on them could be remotely controlled in a coordinated manner and owners of the devices were typically unaware that they had been infected.
“The action represents the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals to commit ransomware, financial fraud, and other cyber-enabled criminal activity,” said the DOJ of the “Operation Duck Hunt” actions.
This team “utilized their expertise in science and technology, but also relied on their ingenuity and passion to identify and cripple Qakbot, a highly structured and multi-layered bot network that was literally feeding the global cybercrime supply chain,” said Donald Alway, the Assistant Director in Charge of the FBI’s Los Angeles Field Office.
To pull off the takedown, the FBI gained access to the Qakbot infrastructure and identified more than 700,000 infected computers worldwide. Of these, 200,000 alone were in the U.S.
“To disrupt the botnet, the FBI was able to redirect Qakbot botnet traffic to and through servers controlled by the FBI, which in turn instructed infected computers in the United States and elsewhere to download a file created by law enforcement that would uninstall the Qakbot malware. This uninstaller was designed to untether the victim computer from the Qakbot botnet, preventing further installation of malware through Qakbot,” the DOJ said.
More information about Qakbot, including resources for victims, is available here.