In a major multinational operation, the United States FBI and the Justice Department have announced the disruption of the Qakbot botnet and malware. This operation involved coordinated actions in multiple countries, including the US, France, Germany, the Netherlands, the UK, Romania, and Latvia. The takedown of the Qakbot infrastructure represents the most significant financial and technical disruption of a botnet infrastructure used by cybercriminals for various illegal activities, including ransomware attacks and financial fraud.
The Qakbot malware, also known as “Qbot” and “Pinkslipbot,” has been infecting victims’ computers since 2008 primarily through spam emails that contain malicious attachments or links. Over the years, this malware has been responsible for causing hundreds of millions of dollars in losses to individuals and businesses worldwide. Notably, Qakbot has become the preferred botnet for notorious ransomware gangs such as Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta. It has been reported that the administrators of Qakbot have received approximately $58 million in ransom payments from victims.
The FBI’s involvement in disrupting the Qakbot botnet was particularly significant. The agency gained access to the Qakbot infrastructure and identified over 700,000 infected computers worldwide, including more than 200,000 in the US. To disrupt the botnet, the FBI redirected Qakbot botnet traffic to and through servers under its control. Infected computers in the US and other countries were then instructed to download a file created by law enforcement that would uninstall the Qakbot malware. This uninstaller effectively severed the connection between the victim’s computer and the Qakbot botnet, preventing further malware installations through Qakbot.
Simultaneously, the Department of Justice announced the seizure of over $8.6 million in cryptocurrency from the Qakbot cybercriminal organization. These funds will now be made available to the victims affected by the malware and related cybercrimes. FBI director Christopher Wray emphasized the significance of neutralizing this criminal supply chain, which targeted a wide range of victims, including financial institutions, government contractors, and medical device manufacturers.
Several organizations collaborated with the FBI to aid in victim notification and remediation. These include the US Cybersecurity and Infrastructure Security Agency (CISA), Shadowserver, Microsoft Digital Crimes Unit, the National Cyber Forensics and Training Alliance, and Have I Been Pwned. The partnership with Have I Been Pwned is particularly noteworthy, as it now allows users to search for Qakbot malware data on the platform. Founder Troy Hunt confirmed that the data is searchable, but flagged as “sensitive.” Users will need to verify their control over the email address associated with the data or can search their owned domains using the domain search feature. Additionally, the passwords from the malware will soon be searchable in the Pwned Passwords service.
The disruption of the Qakbot botnet and malware infrastructure is a significant victory for international law enforcement agencies. By dismantling this criminal network, they have successfully curtailed the activities of cybercriminals who exploited Qakbot for their illicit gain. The operation not only protects victims from further harm but also sends a strong message that the global community is actively working together to combat cybercrime.