Using the digital equivalent of a sleight-of-hand trick, a coterie of international law enforcement has dismantled the notorious, prolific Qakbot botnet network and malware.
The Federal Bureau of Investigation (FBI) and the Justice Department, in collaboration with ransomware busters in France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom, knocked down the infrastructure used by the Botnet gang to launch cyber extortions, commit financial fraud and other cyber-related crimes.
Officials called the action, ironically dubbed "Operation Duck Hunt,” the largest U.S.-led “financial and technical disruption” of a botnet infrastructure. To overwhelm Qakbot, the FBI redirected Qakbot traffic to FBI-controlled servers, which instructed infected computers to download an uninstaller file. This uninstaller was created by law enforcement to break the connection between the victims’ computers and the Qakbot botnet, preventing further installation of malware through Qakbot.
How Qakbot Operated
The Qakbot network armed the cybercriminals with a “command-and-control infrastructure consisting of hundreds of thousands of computers” used to carry out attacks against individuals and businesses worldwide, said FBI director Christopher Wray.
Officials estimated that the Qakbot network spanned some 700,000 infected computers worldwide, including more than 200,000 in the U.S.
So far, no one has been arrested as a result of the probe, officials said.
The disruption of QakBot infrastructure does not mitigate other previously installed malware or ransomware on victim computers, the Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory. If potential compromise is detected, administrators should apply the agency's incident response recommendations, the bulletin said.
A deep dive on the Qakbot mechanics can be found here in a CISA advisory.
Qakbot: A History Lesson
Since its inception in 2008, Qakbot malware has been used in ransomware attacks and other cybercrimes that caused hundreds of millions of dollars in losses to individuals and businesses in the U.S. and abroad, as detailed in an alert issued by the CISA on August 30, 2023.
The crew has been regarded as particularly dangerous for its attacks on financial services organizations, healthcare facilities and critical infrastructure, the latter two are of particular danger for their potential to compromise national security. Of note, Qakbot has also worn out managed service providers and small- to medium-size businesses.
Law Enforcement Actions on Qakbot
Law enforcement also retook nearly $9 million in cryptocurrency from the Qakbots, which will be returned to its victims, the Justice Department announced. In addition, the FBI seized 52 servers, which it claimed would effectively bring the botnet to its knees. According to the FBI, victims include a power engineering firm based in Illinois; financial services organizations based in Alabama, Kansas and Maryland; a defense manufacturer based in Maryland; and a food distribution company in Southern California.
The FBI also said it recovered the stolen credentials -- including email addresses and passwords -- of more than 6.5 million victims, adding that its international partners identified “millions more.” Investigators have found evidence that between October 2021 and April 2023, Qakbot administrators received fees of approximately $58 million in ransoms paid by roughly 40 victims.
Qakbot has been the go-to malware used by ransomware groups in recent years, including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta.
Tech Vendors Provide Support to Law Enforcement
Zscaler provided valuable technical assistance in the sting, the FBI said. Additional partners included CISA, Shadowserver, Microsoft Digital Crimes Unit, the National Cyber Forensics and Training Alliance, and Have I Been Pwned to aid in victim notification and remediation.
Cybersecurity experts immediately weighed in on the operation. "We applaud the FBI for taking control of the Qakbot malware command-and-control infrastructure; unfortunately, without any arrests, it's likely that the criminals will setup new adversary infrastructure in the near future,” said Dave Ratner chief executive of HYAS.
“With dwell time being as little as 24 hours, these attacks highlight once again how critical it is for organizations to have immediate visibility into anomalous network traffic communicating with adversary infrastructure so that they can take control before ransomware impacts operational resiliency, as recommended by CISA and the NSA via Protective DNS solutions," he said.
John Hammond, principal security researcher at Huntress, hailed the Qakbot takedown as “phenomenal news” for the IT industry.
“There's no better word for it, it is just awesome to see the international collaboration and a huge effort that makes a massive impact to not only the Qakbot botnet strain but also the ransomware syndicates that make use of it. Historically, Huntress has seen firsthand an egregious amount of Qakbot infections, running rampant across the MSP/SMB space, so much so that the wider MSP community took note and we worked to address it,“ Hammond said.
The “dismantlement” of Qakbot’s infrastructure and knocking down its ability to coordinate a global operation is the “real success story,” said Austin Berglas, global head of professional services at BlueVoyant and former FBI cyber division special agent.
“Identifying and arresting the individuals responsible is the next, and often most difficult chapter in the investigation. The FBI's willingness to undertake multi-year, complex, global investigations is the reason why today, so many thousands of victims are no longer unwitting members of a massive botnet of infected computers.”