U.S. authorities said on Tuesday a multinational law enforcement operation dismantled “Qakbot,” one of the most notorious botnet malware p...
U.S. authorities said on Tuesday a multinational law enforcement operation dismantled “Qakbot,” one of the most notorious botnet malware platforms controlled by cybercriminals used to carry out criminal financial activities.
“Qakbot malware infected more than 700,000 victim computers, facilitated ransomware deployments, and caused hundreds of millions of dollars in damage” to businesses, healthcare providers, and government agencies all over the world, the U.S. Department of Justice said in a news release.
The Federal Bureau of Investigation said in a news release that the operation took place in the U.S., France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom — making it one of the largest disruptions of a botnet infrastructure used by cybercriminals to commit ransomware, financial fraud, and other cyber-enabled criminal activity.
“The FBI neutralized this far-reaching criminal supply chain, cutting it off at the knees,” FBI Director Christopher Wray said in a news release. “The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast.”
FBI officials said they dismantled the botnet by lawfully gaining access to its infrastructure and redirecting the traffic to the bureau’s servers, which then instructed infected computers to download an uninstaller file created by law enforcement to untether the victims from the botnet and prevent further malware infection from Qakbot.
During the operation, named “Operation Duck Hunt,” federal authorities said they recovered more than 6.5 million victims’ email addresses and password credentials with millions more still being identified and seized 52 servers that they said would “permanently dismantle” the system.
Qakbot malware, otherwise known as “Qbot” and “Pinkslipbot,” was created in 2008 and became a platform for ransomware attacks and other cybercrimes that infected victim computers primarily through spam emails containing malicious hyperlinks, authorities said. After a user engaged with the content contained in the email, the platform delivered malware or ransomware to the victim’s computer, unknowingly becoming a part of a botnet network controlled by the Qakbot.
Security researchers told Reuters they believe the hacking network originated in Russia.
In the U.S., the ransomware infected more than 200,000 computers belonging to several critical infrastructure industries, including a power engineering firm based in Illinois; financial services organizations based in Alabama, Kansas, and Maryland; a defense manufacturer based in Maryland; and a food distribution company in Southern California, according to authorities.
Between October 2021 and April 2023, investigators said the platform’s administrators received approximately $58 million in ransoms paid by victims. However, such attacks allegedly caused millions of dollars in losses to individuals and businesses worldwide.
Authorities also announced they seized over $8.6 million in cryptocurrency in illicit profits and are still deleting the malicious code from victims’ computers.
“Qakbot was the botnet of choice for some of the most infamous ransomware gangs, but we have now taken it out,” U.S. Attorney Martin Estrada said in a news release. “This operation also has led to the seizure of almost 9 million dollars in cryptocurrency from the Qakbot cybercriminal organization, which will now be made available to victims. My Office’s focus is on protecting and vindicating the rights of victims, and this multifaceted attack on computer-enabled crime demonstrates our commitment to safeguarding our nation from harm.”
The U.S. State Department’s Rewards for Justice program would award up to $10 million for information leading to the Qakbot operator’s identities.
No comments