Government authorities have scored another — if perhaps temporary — win in the fight against cybercriminals.
Police in seven countries, including the U.S., said Tuesday they infiltrated and took down the infrastructure behind the Qakbot botnet, and then used that access to order infected computers to delete the malware.
The action, dubbed Operation Duck Hunt, represents the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals to distribute ransomware, commit financial fraud, and engage in other cyber-enabled criminal activity, the U.S. Justice Department said in a statement.
The malware was used by many threat actors, including ransomware groups, as initial weapons of IT system compromise.
The Qakbot malware [called QBot or Pinkslipbot by some cybersecurity companies] primarily infects victim computers through spam email messages containing malicious attachments or hyperlinks, the U.S. statement says. If a computer is successfully infected, Qakbot can deliver additional malware, including ransomware, to the infected computer. Qakbot has been used as an initial means of infection by many prolific ransomware groups in recent years, including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta.
According to BlackBerry, Qakbot was discovered in 2008. After updated versions were made available in 2015, Qakbot gained new momentum among threat actors. in 2020, threat researchers noted that the release of a novel Qakbot strain resulted in a 465 per cent increase in its year-over-year share of cyberattacks. In 2021, Qakbot was leveraged in the prominent cyber-breach of JBS, which disrupted its meat production facilities and forced an US$11 million ransom payment.
As part of the takedown, the FBI was able to gain access to Qakbot infrastructure and identify over 700,000 computers worldwide, including more than 200,000 in the United States, that appear to have been infected with Qakbot.
To disrupt the botnet, the FBI was able to redirect Qakbot botnet traffic to and through servers controlled by the FBI, which in turn instructed infected computers in the United States and elsewhere to download a file created by law enforcement that would uninstall the Qakbot malware. This uninstaller was designed to untether the victim computer from the Qakbot botnet, preventing further installation of malware through Qakbot.
In addition to the U.S., authorities in France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia participated in the coup. As part of the combined action, US$9 million in cryptocurrency was also seized. Also credited with helping are Zscaler, Shadowserver, the Microsoft Digital Crimes Unit, the National Cyber Forensics and Training Alliance, and the Have I Been Pwned service.
Qakbot is a long-standing operation spanning more than a decade that has adapted and evolved with the times, noted Kimberly Goody, senior manager of Mandiant’s financial analysis unit. It initially focused on traditional banking fraud, and later pivoted to act as a foothold to support ransomware intrusions. “Any impact to these operations is welcomed, as it can cause fractures within the ecosystem and lead to disruptions that cause actors to forge other partnerships – even if it’s only temporary. Actors who were using Qakbot in ransomware intrusions, for example, may pivot to underground communities for initial access providers, resulting in more varied initial access tactics in the near term.”
Disrupting the Qakbot botnet of more than 700,000 victim computers is a great accomplishment for the FBI and their partners, said Chester Wisniewski, field CTO of applied research at Sophos. It will impose significant inconvenience on the botnet’s operators and dependent criminal groups. He added, “Sadly this will not stop Qakbot’s masters from reconstituting it and continuing to profit from our security failures. Any time we can raise the cost for criminals to operate their schemes we must take advantage of those opportunities, but this doesn’t mean we can rest on our laurels, we must continue to work to identify those responsible and hold them accountable to truly disable their operations.”