Global cyber takedown on notorious Qakbot malware

The malware has infected more than 700,000 computers worldwide, and was favoured by leading ransomware groups.

Qakbot, one of the “most notorious” and longest-running cybercriminal botnets, has been disrupted and taken down in a multinational operation.

Qakbot malicious malware, which has infected more than 700,00 victims globally, has now has been deleted from victim computers and can’t do any more harm, the Department of Justice announced. About $8.6m in cryptocurrency from illicit profits was also seized in the takedown.

This action, which represents the largest US-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals to commit cybercrimes, was performed by authorities from the US, France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia.

“Qakbot was the botnet of choice for some of the most infamous ransomware gangs, but we have now taken it out.”

Martin Estrada, Attorney, Central District of California

“Cybercriminals who rely on malware like Qakbot to steal private data from innocent victims have been reminded today that they do not operate outside the bounds of the law,” said Attorney General Merrick B Garland. “Together with our international partners, the Justice Department has hacked Qakbot’s infrastructure, and launched an aggressive campaign to uninstall the malware from victim computers in the United States and around the world.”

Spam emails with malicious attachments

According to court documents, Qakbot, which also went by the names “Qbot” and “Pinkslipbot,” was controlled by a cybercriminal organization that used the malware to target critical industries all over the world. Victims were primarily targeted through infected spam emails which contained malicious attachments or hyperlinks. Once a victim computer was infected, more malware such as ransomware was sent to it.

The victim computers were also part of a botnet, a network of compromised computers, through which the cybercriminals could control many infected computers remotely in a coordinated manner. Numerous businesses, healthcare providers, and government agencies all over the world have been targeted like this, where then the ransomware actors seek ransom payments in bitcoin before returning access to the victim computer networks.

Ransomware groups

Many of the big ransomware groups have used Qakbot through the years, including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta.  

“Qakbot was the botnet of choice for some of the most infamous ransomware gangs, but we have now taken it out,” said US Attorney Martin Estrada for the Central District of California. “This operation also has led to the seizure of almost nine million dollars in cryptocurrency from the Qakbot cybercriminal organization, which will now be made available to victims.”

With the takedown of Quakbot, the FBI was able to gain access to its infrastructure and identify over 700,000 affected computers worldwide, with more than 200,000 just in the US. The FBI managed to redirect Qakbot’s botnet traffic to and through servers controlled by the Federal Bureau, and was then able to uninstall the malware on affected computers and prevent further installation of malware from Qakbot.