LOS ANGELES — In a significant operation, U.S. officials, in collaboration with their European counterparts, have successfully infiltrated and seized control of a major global malware network. This network has been responsible for a wide range of online crimes, including devastating ransomware attacks, for over 15 years.
During the announcement of the takedown, Martin Estrada, the U.S. attorney in Los Angeles, revealed that Qakbot victimized almost every sector of the economy. Over the course of 18 months, the criminal network conducted approximately 40 ransomware attacks, resulting in a staggering $58 million in illicit gains for the Qakbot administrators.
Among Qakbot’s victims were an Illinois-based engineering firm, financial services organizations in Alabama and Kansas, a Maryland defense manufacturer, and a Southern California food distribution company.
Although $8.6 million in cybercurrency was seized or frozen during the operation, no arrests have been made yet.
The investigation is still ongoing, according to Estrada. However, he did not disclose the location of the malware administrators who used infected machines to create a botnet of zombie computers. Cybersecurity researchers believe that these individuals are based in Russia and/or other former Soviet states.
The Qakbot Malware: A Devastating Cybercriminal Tool
Officials estimate that the Qakbot malware, also known as Pinkslipbot and Qbot, has caused hundreds of millions of dollars in damage since its emergence as an information-stealing bank trojan in 2008. This versatile tool has affected millions of people in nearly every country worldwide.
How Qakbot Operates
Qakbot is typically delivered through phishing email infections, providing criminal hackers with initial access to compromised computers. Once inside the system, these hackers are able to deploy additional payloads that enable them to carry out various malicious activities. These activities range from deploying ransomware and stealing sensitive information to gathering intelligence on victims, which then facilitates financial fraud and crimes such as tech support and romance scams.
The Global Impact
The Qakbot network has played a significant role in supplying the global cybercrime ecosystem, as stated by Donald Alway, Assistant Director in charge of the FBI’s Los Angeles office. He deems it as “one of the most devastating cybercriminal tools in history.” In fact, Qakbot was the most commonly detected malware in the first half of 2023. It affected one in 10 corporate networks and accounted for approximately 30% of attacks globally, based on findings from cybersecurity firms.
Rooting Out Initial Access Tools
By exploiting Qakbot, cybercriminals are able to bypass the initial steps of penetrating computer networks, thereby making it easier for extortionist ransomware gangs to operate. These gangs, predominantly consisting of Russian-speaking criminals, have caused widespread disruption and chaos by stealing data and targeting entities such as schools, hospitals, local governments, and businesses across the globe.
FBI and Europol Join Forces to Take Down Qakbot Botnet
In a major operation named “Duck Hunt,” the FBI collaborated with Europol and law enforcement agencies in France, the United Kingdom, Germany, the Netherlands, Romania, and Latvia to dismantle the notorious Qakbot botnet. This joint effort resulted in the seizure of over 50 Qakbot servers and the identification of more than 700,000 infected computers, with over 200,000 in the U.S. This successful operation effectively disrupted the criminal activities of cybercrooks.
Using the infrastructure they had seized, the FBI remotely deployed updates that eradicated the Qakbot malware from thousands of compromised computers. However, an FBI official cautioned that the exact number of cleaned machines remains uncertain as there could have been other malware present on these devices.
This achievement marks the FBI’s most significant success in combatting cybercrime since they dismantled the Hive ransomware gang earlier this year through a unique hacking operation.
“It is an impressive takedown. Qakbot held the record for the largest number of victims within a botnet,” stated Alex Holden, founder of Milwaukee-based Hold Security. He also suggested that the botnet’s massive growth over recent years may have ultimately contributed to its downfall. “Large botnets tend to collapse as many threat actors exploit the data for various malicious purposes.”
Chester Wisniewski, a cybersecurity expert at Sophos, echoed this sentiment and predicted a temporary decrease in ransomware attacks following the disruption of Qakbot. However, Wisniewski also warned that criminals may quickly rebuild their infrastructure or shift to other botnets.
“While this operation will undoubtedly disrupt several criminal groups in the short term, it will not prevent them from regrouping,” cautioned Wisniewski. “It is worth noting that recruiting 700,000 PCs takes considerable time and effort.”
This joint effort between international law enforcement agencies serves as a powerful example of their commitment to safeguarding global digital ecosystems from cyber threats. Although challenges persist, this operation demonstrates a significant step towards combating cybercrime at a global scale.
