In a major operation known as “Duck Hunt,” the U.S. government has launched a coordinated crackdown against QakBot, a sophisticated malware family commonly used by various cybercrime groups to pave the way for ransomware attacks. The operation involved seizing control over the botnet’s online infrastructure and discreetly removing the QakBot malware from tens of thousands of infected computers running on Microsoft Windows.
The U.S. Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI) jointly announced the international operation. They revealed that they had obtained court orders to eliminate QakBot from compromised devices and to seize the servers used to operate the botnet. At a press conference in Los Angeles, U.S. attorney Martin Estrada declared that this operation marked the most significant technological and financial initiative ever led by the Department of Justice against a botnet. Estrada also stated that QakBot has been involved in 40 different ransomware attacks in the past 18 months, causing a cumulative loss of over $58 million for the victims.
Originally emerging as a banking trojan in 2007, QakBot, also known as Qbot and Pinkslipbot, has evolved into an advanced malware strain now leveraged by multiple cybercriminal groups to prepare newly compromised networks for ransomware infections. The malware is typically delivered through email phishing attacks disguised as urgent and legitimate documents such as invoices or work orders.
Assistant Director Don Alway, in charge of the FBI’s Los Angeles field office, disclosed that federal investigators gained access to an online panel used by cybercriminals to monitor and control the botnet. With court-ordered approval, they instructed all infected systems to uninstall QakBot and to disconnect themselves from the botnet. The DOJ revealed that the control panel uncovered the fact that QakBot had infected more than 700,000 computers in the past year alone, including 200,000 systems within the United States.
Collaborating with law enforcement partners in France, Germany, Latvia, the Netherlands, Romania, and the United Kingdom, the DOJ successfully seized more than 50 internet servers associated with the QakBot network. Additionally, they confiscated nearly $9 million in illicitly obtained cryptocurrency from those behind QakBot. However, the DOJ did not provide details about any arrests or questioning of suspects related to QakBot, as an investigation is ongoing.
According to recent figures from managed security firm Reliaquest, QakBot stands out as the most prevalent malware loader. A loader is malicious software used to gain access to a compromised network and deploy additional malware payloads. Reliaquest reported that QakBot infections accounted for nearly one-third of all observed loaders during the first half of this year.
Researchers from AT&T Alien Labs added more insights into the QakBot botnet, stating that the individuals responsible for its maintenance have rented it out to various cybercrime groups over the years. More recently, QakBot has been closely associated with ransomware attacks from Black Basta, a prolific Russian-language criminal group that appears to have branched off from the Conti ransomware gang.
This operation is not the first time the U.S. government has used court orders to remotely disinfect compromised systems. In April 2022, the DOJ disinfected computers worldwide infected with the “Snake” malware, an older family of malware linked to the GRU, a Russian military intelligence agency.
Documents released by the DOJ in support of the QakBot takedown operation outlined the methodology employed. Starting on August 25, 2023, law enforcement gained access to the QakBot botnet and redirected botnet traffic through servers controlled by law enforcement. They then instructed infected computers to download a QakBot Uninstall file that removed the malware from the compromised machines. However, it is important to note that the uninstall file did not remediate other malware that was already present on infected computers. Instead, its purpose was to prevent additional QakBot malware from being installed by untethering victim computers from the QakBot botnet.
In addition to these actions, the DOJ managed to recover over 6.5 million stolen passwords and other credentials. They shared this information with websites like “Have I Been Pwned” and the “Check Your Hack” website established by the Dutch National Police. These sites allow users to check if their credentials have been exposed.
The QakBot takedown operation highlights the ongoing efforts of law enforcement agencies and cybersecurity researchers to combat the rising threat of sophisticated malware and ransomware attacks. By dismantling the infrastructure behind QakBot and removing the malware from infected devices, authorities have dealt a significant blow to cybercriminals and have taken a step towards protecting individuals and organizations from the devastating impact of ransomware attacks.