In a groundbreaking cross-border maneuver, the United States FBI and the Justice Department have orchestrated a multinational crackdown spanning the US, France, Germany, the Netherlands, the UK, Romania, and Latvia. Their target? The notorious Qakbot botnet and its malicious software infrastructure, which have long fueled ransomware assaults, financial scams, and various cybercrimes. This operation marks a historic stride in the battle against cybercriminals exploiting such platforms for illicit gain.
Qakbot, also recognized under aliases such as "Qbot" and "Pinkslipbot," spread through malevolent attachments or links nestled within spam emails. Since its inception in 2008, Qakbot has spearheaded ransomware offensives and other digital misdeeds, racking up substantial losses in the hundreds of millions across US and international victims. Lately, it gained notoriety as the favored choice of ransomware heavyweights like Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta, pocketing around $58 million in extorted ransoms.
The FBI ingeniously rerouted Qakbot's data traffic through its own servers, wresting control from the cybercriminals. This enabled the agency to deploy an uninstaller to over 700,000 afflicted computers, including 200,000 in the US, effectively severing their ties to the malicious botnet and thwarting any further malware installation.
Furthermore, the Department of Justice successfully confiscated over $8.6 million in cryptocurrency from the Qakbot syndicate, a sum poised to be restituted to victims. FBI Director Christopher Wray emphasized the operation's far-reaching success, dismantling a sprawling criminal network that preyed on a diverse array of targets.
Collaborating with the US Cybersecurity and Infrastructure Security Agency (CISA), Shadowserver, Microsoft Digital Crimes Unit, the National Cyber Forensics and Training Alliance, and Have I Been Pwned, the FBI has taken a multi-pronged approach to victim notification and damage mitigation.
Troy Hunt, founder of Have I Been Pwned, reported that Qakbot's malware data is now searchable on the platform, while passwords derived from the malware will soon feature in the Pwned Passwords service, heightening awareness and protection.
Austin Berglas, Global Head of Professional Services at BlueVoyant and former FBI Cyber Division Special Agent, shared insights on the takedown and how it aligns with previous takedowns:
"The complete dismantlement of the Quakbot operation's infrastructure and the ability to coordinate a major global operation with international partners is the real success story.
Identifying and arresting the individuals responsible is the next, and often most difficult chapter in the investigation. The FBI's willingness to undertake multi-year, complex, global investigations is the reason why today, so many thousands of victims are no longer unwitting members of a massive botnet of infected computers.
This is not the first time the FBI conducted remote operations at scale against international criminal groups. In 2011, the FBI and partners dismantled and arrested six Estonian nationals who were responsible for running the Rove criminal enterprise. In Operation Ghost Click, this criminal group used malware that was used to infect approximately 4 million computers globally and redirected them to rogue servers allowing them to control the computers, direct them to fraudulent websites, and generate millions of dollars in fraudulent advertising fees. After a complex investigation, the FBI obtained court orders authorizing them to deploy and maintain clean servers, redirect victim computers and ensure that the millions of victims did not lose internet connectivity."
The fate of Qakbot itself remains uncertain, with precedents like the Emotet botnet experiencing temporary setbacks before resurgence.
In the quest to shield against Qakbot and analogous botnet malware, security experts advocate maintaining up-to-date antivirus software, embracing robust, unique passwords managed by a password manager, and adopting multifactor authentication for critical services. For system administrators, CISA's comprehensive report offers deeper insight into Qakbot's mechanics and tools to identify its presence within networks. ###