Qakbot hackers now pushing Cyclops/Ransom Knight ransomware, Cisco says

The hackers behind the Qakbot malware have shifted their focus to distributing ransomware, according to security researchers.

The report comes just weeks after law enforcement agencies in the U.S., France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia joined forces to take down Qakbot — one of the most prolific and longest-running botnets.

The agencies not only shut down Qakbot’s computer infrastructure but also proactively removed the malware from infected devices.

On Thursday, researchers from Cisco Talos said that even though the Qakbot malware infrastructure was dismantled, the hackers behind it have been able to keep their distribution tools intact, now using them to spread variants of the Cyclops/Ransom Knight ransomware as well as backdoor malware.

The researchers said the malicious files’ names indicate that the ransomware is being distributed using phishing emails, matching tactics used in past Qakbot campaigns. Some file names are written in Italian, leading Cisco Talos researchers to believe that people in Europe are being targeted.

“The threat actors behind the Qakbot malware have been conducting a campaign since early August 2023 in which they have been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails,” they said.

“Notably, this activity appeared to begin before the FBI seized Qakbot infrastructure in late August and has been ongoing since, indicating the law enforcement operation may not have impacted Qakbot operators’ spam delivery infrastructure but rather only their command and control (C2) servers.”

When examining the metadata of the malicious files, the researchers got information about the machines used and said it matched those used in previous Qakbot campaigns.

They warned that Qakbot is “likely continue to pose a significant threat moving forward, as the developers were not arrested and Talos assesses they are still operational, opening the possibility that they may choose to rebuild the Qakbot infrastructure.”

Never completely gone

The August operation against Qakbot involved the seizure of infrastructure and cryptocurrency assets used by the group. But almost immediately, experts questioned whether the lack of arrests tied to the operation would allow the actors behind the malware to simply retool.

Austin Berglas, a former special agent in the FBI Cyber Division, previously told Recorded Future News that there is always a concern about a potential resurgence of groups, particularly those operating powerful botnets.

“It’s very similar to a street gang selling drugs on a street corner. If the police increase presence and prevent the gang from selling drugs on that particular corner, there is nothing stopping them from going to another part of the city, establish operations, and resume the activity,” said Berglas, who is now global head of professional services at BlueVoyant.

“True dismantlement of an organization requires identifying, arresting, and prosecuting the personnel, as well as taking down the technical infrastructure.”

Senior FBI and Justice Department officials called it “the most significant technological and financial operation ever led by the Department of Justice against a botnet” but declined to say if any arrests were made, only citing in-person efforts by authorities in Latvia to take down servers.

Machine serial numbers

Cisco Talos researchers said they believe that the hackers behind one Qakbot campaign that ran from 2021 to 2022 are still active.

One machine with a drive serial number of “0x2848e8a8” was later used in another campaign Cisco identified. But from then on, the hackers began to wipe out the metadata in their LNK files — also known as Windows shortcuts — to make detection and tracking harder.

“Talos identified new LNK files in August 2023 that were created on the same machine referenced above, but observed that the payload of the files pointed to a network share in the command line that served a variant of Cyclops/Ransom Knight ransomware,” they said.

“The filenames of these LNK files, with themes of urgent financial matters, suggest they are being distributed in phishing emails, which is consistent with previous Qakbot campaigns.”

The files are being shared inside zip archives that also contain an XLL file. XLL is an extension used for Excel add-ins, and comes with an icon similar to other Excel file formats.

These XLL files are the Remcos backdoor, which is executed alongside the Ransom Knight ransomware. The backdoor gives the hackers access to the machine after it is infected.

According to Cisco Talos, Ransom Knight is an updated version of the Cyclops ransomware-as-a-service, rewritten from scratch. The threat actor behind the Cyclops service announced the new variant in May 2023.

Recorded Future ransomware expert Allan Liska said the ransomware -- which most researchers refer to as Knight -- is considered lower tier. Its predecessor has been around since 2015 but the new version of it has been active since August.

"They are a lower tier ransomware, but the involvement of the team behind Qakbot could change that, especially if Qakbot becomes fully operational again," he said. "I am not saying that Qakbot is behind this ransomware, instead that the people behind this ransomware are using the services of the Qakbot team."

Likewise, the Cisco Talos researchers said they do not believe the Qakbot actors are behind that ransomware gang but instead are simply customers.

“As this new operation has been ongoing since the beginning of August 2023 and has not stopped after the takedown, we believe the FBI operation didn’t affect Qakbot’s spam delivery infrastructure but only its command and control servers,” they said.

“We assess Qakbot will likely continue to pose a significant threat moving forward. Given the operators remain active, they may choose to rebuild Qakbot infrastructure to fully resume their pre-takedown activity.”