FBI, DOJ bust up global malware network that has run since 2008
Qakbot malware has infected more than 700,000 computers globally and is associated with nearly $60 million in fees generated by ransomware.
An operation led by the FBI and Department of Justice, in conjunction with international law enforcement agencies, has taken down the botnet infrastructure of Qakbot, a malware platform that has been used to commit ransomware, financial fraud and other cybercrimes, according to the FBI.
In operation since 2008, Qakbot malware has caused hundreds of millions of dollars in losses to people and businesses worldwide, the FBI reported. The operation identified more than 700,000 infected computers worldwide, with over 200,000 of those computers located in the U.S.
Between October 2021 and April 2023 alone, Qakbot administrators are believed to have received around $58 million in fees related to ransomware payments, according to the DOJ.
It is believed that Qakbot was behind attacks on businesses, health care systems and government agencies, including a power engineering firm in Illinois; financial service organizations in Alabama, Kansas and Maryland; a defense manufacturer in Maryland; and a Southern California food distributor.
Qakbot, which has also been called Qbot and Pinkslipbot, was been used to target organizations across the global by prolific ransomware gangs including Conti, ProLock and REvil.
In addition to dismantling the botnet and deleting its code from infected computers, the agencies also seized more than $8.6 million in illicitly gained cryptocurrency.
Dubbed “Operation Duck Hunt,” the DOJ reported the takedown was one of the largest U.S.-led enforcement actions against a botnet, a network of computers infected with malware that are controlled by an attacking party. In addition to the U.S. agencies, the operation also involved their counterparts in France, Germany, the Netherlands, Romania, Latvia and the U.K.
“The FBI neutralized this far-reaching criminal supply chain, cutting it off at the knees,” FBI Director Christopher Wray said in a release. “The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast.”
How Qakbot operated
According to the Justice Department, Qakbot primarily infected computers through spam emails that contained malicious attachments or hyperlinks. Once a computer was infected, the program could then deliver additional malware, such as ransomware.
To execute the takedown, the FBI redirected Qakbot traffic to servers the bureau controlled and then instructed infected computers to download an uninstall file. The FBI reported the uninstaller removed Qakbot malware, breaking the infected machine’s connection to the botnet.
“The Operation Duck Hunt team utilized their expertise in science and technology, but also relied on their ingenuity and passion to identify and cripple Qakbot, a highly structured and multi-layered bot network that was literally feeding the global cybercrime supply chain,” Donald Alway, the assistant director in charge of the FBI’s Los Angeles Field Office, said in a release. “These actions will prevent an untold number of cyberattacks at all levels, from the compromised personal computer to a catastrophic attack on our critical infrastructure.”
Related: