LOS ANGELES – In a remarkable display of global cooperation, the United States Justice Department spearheaded a multinational operation involving coordinated actions across several countries – including France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia – to dismantle the notorious Qakbot botnet and neutralize its associated malware. This operation marks a significant step towards curtailing the activities of cybercriminals leveraging the Qakbot infrastructure to orchestrate ransomware attacks, financial fraud, and other forms of cybercrime.
Qakbot, also known as “Qbot” and “Pinkslipbot,” is a highly sophisticated and malicious code wielded by cybercriminal organizations. This malware infiltrates victim computers primarily through deceptive emails containing harmful attachments or links. Once inside, Qakbot opens the door for additional malware, including notorious ransomware variants like Conti, ProLock, and REvil.
Reza Rafati
Qakbot Malware Neutralized and Illicit Profits Seized
The focal point of the operation was the erasure of the Qakbot malicious code from countless victim computers, thus preventing further harm. Additionally, the Justice Department announced a monumental achievement in the form of seizing more than $8.6 million in cryptocurrency – profits garnered illicitly from the Qakbot cybercriminal network. This action stands as a groundbreaking financial and technical disruption, orchestrated by the United States, against a botnet that had become a cybercriminal staple.
Global Collaboration Yields Unprecedented Results
Attorney General Merrick B. Garland emphasized the operation’s message to cybercriminals: their actions are not beyond legal boundaries. He lauded the international coalition for hacking into Qakbot’s infrastructure, executing a widespread campaign to eliminate the malware from victim computers around the world, and effectively capturing $8.6 million in extorted funds.
United States Attorney Martin Estrada hailed the collaboration as a landmark event. The operation’s success dismantled Qakbot, previously a favored choice among ransomware groups, thereby preventing further losses to victims. He further highlighted that the seized cryptocurrency will be directed towards compensating victims, underscoring the commitment to protect their rights.
FBI’s Integral Role and Qakbot’s Global Impact
Donald Alway, Assistant Director in Charge of the FBI’s Los Angeles Field Office, extolled the Operation ‘Duck Hunt’ Team for its remarkable dedication. This multinational effort dismantled Qakbot, a highly intricate and multi-layered botnet, eroding a significant foundation of the global cybercrime supply chain. The operation’s success will likely thwart countless cyberattacks, from individual computers to critical infrastructure.
Qakbot: The Malicious Operative
According to court documents, Qakbot, also known as “Qbot” and “Pinkslipbot,” was under the control of a cybercriminal organization with a global reach. Employing tactics like spam emails containing malicious attachments or links, Qakbot effectively infiltrated victim computers. This foothold then facilitated the delivery of additional malware, including ransomware. Notably, numerous high-profile ransomware groups – such as Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta – utilized Qakbot to launch their attacks, causing significant harm worldwide.
Impact on Organizations and Extortion
These ransomware groups wreaked havoc across various sectors, victimizing businesses, healthcare providers, and governmental agencies. Notable targets included a power engineering firm in Illinois, financial services organizations across Alabama, Kansas, and Maryland, a defense manufacturer in Maryland, and a Southern California-based food distribution company. Investigative findings indicate that Qakbot administrators amassed approximately $58 million in ransom payments between October 2021 and April 2023.
Taking Down the Botnet Infrastructure
The operation’s apex involved the FBI’s access to the Qakbot infrastructure, which identified over 700,000 infected computers globally, including more than 200,000 in the United States. The FBI deftly rerouted Qakbot’s traffic through their own servers, which then instructed the infected computers to uninstall the malware. This maneuver severed the connection between victim computers and the Qakbot botnet, halting the spread of malware through this avenue.
Industry Partnerships and Victim Remediation
The FBI received invaluable technical assistance from Zscaler. To maximize the operation’s impact, partnerships were established with the Cybersecurity and Infrastructure Security Agency, Shadowserver, Microsoft Digital Crimes Unit, the National Cyber Forensics and Training Alliance, and Have I Been Pwned. These alliances facilitated victim notification and remediation efforts, bolstering the operation’s overall effectiveness.
