Qakbot, one of the largest and longest-running botnets to date, was taken down following a multinational law enforcement operation spearheaded by the FBI and known as Operation ‘Duck Hunt.’
The botnet (also known as Qbot and Pinkslipbot) was linked by law enforcement to at least 40 ransomware attacks against companies, healthcare providers, and government agencies worldwide, causing hundreds of millions of dollars in damage, according to conservative estimates. Over the past 18 months alone, losses have surpassed 58 million dollars.
Throughout the years, Qakbot has consistently served as an initial infection vector for various ransomware gangs and their affiliates or operators, including Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, and, most recently, Black Basta.
“The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast,” FBI Director Christopher Wray said.
“This botnet provided cybercriminals like these with a command-and-control infrastructure consisting of hundreds of thousands of computers used to carry out attacks against individuals and businesses all around the globe.”
Taken down after taking control of Qakbot admin’s PC
The FBI dismantled Qakbot after it infected over 700,000 computers (over 200,000 in the United States) after infiltrating parts of the botnet’s infrastructure, including one of the computers used by a Qakbort admin.
“On one such computer used by a Qakbot administrator, the FBI located many files related to the operation of the Qakbot botnet. Those files included communications (e.g., chats discussed in detail below) between the Qakbot administrators and co-conspirators and a directory containing several files holding information about virtual currency wallets,” according to court documents.
“A different file, found elsewhere on the same computer, named ‘payments.txt,’ contained a list of ransomware victims, details about the ransomware group, computer system details, dates, and an indication of the amount of BTC paid to the Qakbot administrators in connection with the ransomware attack.”
On Friday night, they redirected Qakbot traffic to servers controlled by the agency, which provided the FBI with the access needed to deploy an uninstaller to compromised devices across the globe, clearing the infection and preventing the deployment of additional malicious payloads.
While victims received no notification when the uninstaller was executed to remove the malware from their systems, the FBI notified them using IP address and routing information collected from the victims’ computers when deploying the removal tool.
Furthermore, people can check if their devices were infected by submitting their email addresses on Have I Been Pwned or the Dutch National Police websites.
We also published a follow-up story with more details on how the FBI was able to nuke the Qakbot malware from Windows computers infected by the botnet.
“The scope of this law enforcement action was limited to information installed on the victim computers by the Qakbot actors,” the Justice Department said in a press release today.
“It did not extend to remediating other malware already installed on the victim computers and did not involve access to or modification of the information of the owners and users of the infected computers.”
The list of partners the FBI worked with throughout this joint operation includes Europol, French Police Cybercrime Central Bureau and the Cybercrime Section of the Paris Prosecution Office, Germany’s Federal Criminal Police and General Public Prosecutor’s Office Frankfurt/Main, Netherlands National Police and National Public Prosecution Office, the United Kingdom’s National Crime Agency, Romania’s National Police, and Latvia’s State Police.
The FBI also worked with CISA, Shadowserver, the Microsoft Digital Crimes Unit, the National Cyber Forensics and Training Alliance, and Have I Been Pwned to notify victims.
The operation was coordinated by the FBI’s Los Angeles Field Office, the U.S. Attorney’s Office for the Central District of California, and the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS), in cooperation with Eurojust.
“Qakbot was the botnet of choice for some of the most infamous ransomware gangs, but we have now taken it out. This operation also has led to the seizure of almost 9 million dollars in cryptocurrency from the Qakbot cybercriminal organization, which will now be made available to victims,” said U.S. Attorney Martin Estrada.
In May, cybersecurity and intelligence agencies from all Five Eyes member nations also took down the Snake peer-to-peer botnet operated by Russia’s Federal Security Service (FSB) and linked to the notorious Turla hacking group.
Source: www.bleepingcomputer.com