US, European agencies dismantle Qakbot network used for ransomware and scams

Multiple law enforcement agencies across the globe have taken down Qakbot — one of the most prolific and longest-running botnets.

The FBI, U.S. Justice Department and agencies in France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia said on Tuesday that they not only had shut down Qakbot’s computer infrastructure but also proactively removed the malware from infected devices.

Qakbot malware had been used since 2008 to infect more than 700,000 devices around the world and allowed a wide variety of cybercriminals to launch ransomware attacks as well as scams. More than 200,000 of the infected devices were in the U.S., according to senior FBI officials.

“An international partnership led by the Justice Department and the FBI has resulted in the dismantling of Qakbot, one of the most notorious botnets ever, responsible for massive losses to victims around the world,” said U.S. Attorney Martin Estrada of the Central District of California. “Qakbot was the botnet of choice for some of the most infamous ransomware gangs, but we have now taken it out”

Authorities said they also seized more than $8.6 million in cryptocurrency that victims can apply to receive a portion of.

Senior FBI and Justice Department officials said they received court orders allowing them to delete the malware from victim computers, effectively sending out an “update” that removed it from a device’s memory.

Today, #FBI Director Christopher Wray announced a Bureau-led operation that crippled a long-running botnet. Just in the past year, this botnet infected approximately 700,000 computers. Learn how the FBI restored control to victims: https://t.co/RVEwdGBFzu pic.twitter.com/yCXhK5pDtl

— FBI (@FBI) August 29, 2023

Officials declined to say if the operation involved arrests but noted that Latvian law enforcement agencies took down servers on August 25 to coincide with the other actions taken by U.S. and EU officials.

“This investigation has taken out a prolific malware that caused significant damage to victims in the UK and around the world,” said Will Lyne, head of cyber intelligence at the U.K.’s National Crime Agency. “Qakbot was a key enabler within the cyber crime ecosystem, facilitating ransomware attacks and other serious threats.”

The DOJ called the takedown — titled “Operation Duck Hunt” — the “largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals to commit ransomware, financial fraud, and other cyber-enabled criminal activity.”

Officials said the FBI’s Los Angeles Field Office led the operation alongside other offices in New Haven, Connecticut, and Milwaukee. Donald Alway, the assistant director in charge of the FBI’s Los Angeles Field Office, said Qakbot is a “highly structured and multi-layered bot network that was literally feeding the global cybercrime supply chain.”

“These actions will prevent an untold number of cyberattacks at all levels, from the compromised personal computer to a catastrophic attack on our critical infrastructure,” he said.

The malware topped the U.S. government’s list of the most commonly seen malware strains in 2021. The FBI noted that it has been investigating Qakbot since 2011.

Ransomware and elder fraud

Qakbot, also known as Qbot and Pinkslipbot, had become the initial access method of choice for multiple high-profile ransomware gangs, including REvil, Black Basta, Conti, Egregor and MegaCortex.

After infecting victim computers with the Qakbot malware through malicious attachments in spam email messages, gangs could deploy their own ransomware and extort victims.

FBI officials said the total infections over the lifetime of the botnet are estimated to be in the millions and that between October 2021 and April 2023, Qakbot administrators received fees corresponding to approximately $58 million in ransoms paid by victims. On a press call an FBI official said they estimate the malware is responsible for hundreds of millions of dollars in victim losses.

The malware was used to target critical industries worldwide, and the Justice Department tied the botnet to attacks on a power engineering firm based in Illinois; financial services organizations based in Alabama, Kansas, and Maryland; a defense manufacturer based in Maryland; and a food distribution company in Southern California.

Researchers noted that the Black Basta ransomware gang used Qakbot during its attack on British government contractor Capita.

FBI officials noted that Qakbot was involved in a wide range of elder fraud scams, tech support schemes and other cybercrime.

"This botnet provided cybercriminals like these with a command-and-control infrastructure consisting of hundreds of thousands of computers used to carry out attacks against individuals and businesses all around the globe," FBI Director Christopher Wray said.

An FBI official explained to reporters that they were able to infiltrate Qakbot’s network and redirect the botnet’s traffic through servers controlled by the FBI, which “in turn instructed infected computers in the United States and elsewhere to download a file created by law enforcement that would uninstall the Qakbot malware.”

“This uninstaller was designed to untether the victim computer from the Qakbot botnet, preventing further installation of malware through Qakbot,” they said.

The FBI and DOJ repeatedly said the operation only focused on the information installed on victim computers by Qakbot. When pressed for more information, the FBI noted that someone infected with Qakbot would not know the operation occurred.

The law enforcement agencies said they partnered with the popular website HaveIbeenpwned.com so that victims can enter their email address to see if they were a victim. Several other organizations, including Zscaler, the Cybersecurity and Infrastructure Security Agency, Shadowserver, Microsoft Digital Crimes Unit, and the National Cyber Forensics and Training Alliance were involved in notifying victims and remediating the issue.

The Secureworks Counter Threat Unit, which has been tracking Qakbot for years, said it “represented a significant threat” and “was present on devices in nearly every country.”

“Qakbot was a significant adversary that represented a serious threat to businesses around the world. Engineered for eCrime, Qakbot infections led to the deployment of some of the most sophisticated and damaging ransomware,” said Don Smith, vice president of threat intelligence at Secureworks Counter Threat Unit.

“Qakbot has evolved over the years to become a flexible part of the criminal’s arsenal. Its removal is to be welcomed.”

FBI and DOJ officials declined to say whether the operation had any connections to state-backed hacking groups.

The operation against Qakbot resembles that of Emotet, which eventually resurfaced years later after a similar mass-uninstall effort by law enforcement agencies.

The U.S. State Department announced that it would be adding Qakbot to its Rewards for Justice program, urging anyone with information about its operators’ whereabouts to come forward.