FBI Leads Takedown Of Qakbot Malware Infecting 700,000 Computers

Law enforcement agencies across multiple countries have carried out an international takedown of the infrastructure belonging to the Qakbot malware.

Led by the US FBI and Department of Justice, but also involving the UK’s National Crime Agency (NCA) and a number of European agencies, the international takedown operation resulted in the seizure of Qakbot’s infrastructure in the US and across Europe on Saturday [26 August], with the NCA ensuring UK servers were also taken offline.

Qakbot malware (also known as ‘Qbot’ and ‘Pinkslipbot’) infected more than 700,000 computers globally via spam emails, and is “now being deleted from victim computers, preventing it from doing any more harm.”

Qakbot takedown

As well as the takedown, US authorities also seized approximately $8.6 million in cryptocurrency in illicit profits.

The administrators behind Qakbot offered access to it for a fee and it was a go-to service for cyber criminals for at least 16 years.

The takedown represents the largest US-led financial and technical disruption of a botnet infrastructure utilised by cybercriminals to commit ransomware, financial fraud, and other cyber-enabled criminal activity, the US DoJ said.

It happened the 700,000 infected computers were reportedly tricked into downloading an uninstaller from FBI servers.

According to court documents, Qakbot is controlled by a cybercriminal organisation and used to target critical industries worldwide.

The Qakbot malware primarily infects victim computers through spam email messages containing malicious attachments or hyperlinks. Once it has infected a victim computer, Qakbot can deliver additional malware, including ransomware, to the infected computer.

Qakbot was used by the criminal gangs behind the notorious Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta ransomware strains.

The ransomware actors then extort their victims, seeking ransom payments in bitcoin before returning access to the victim computer networks.

“This investigation has taken out a prolific malware that caused significant damage to victims in the UK and around the world,” said Will Lyne, head of cyber intelligence at the NCA. “Qakbot was a key enabler within the cyber crime ecosystem, facilitating ransomware attacks and other serious threats.”

“The NCA is focused on disrupting the highest harm cyber criminals by targeting the tools and services that underpin their offending,” said Lyne. “This activity demonstrates how, working alongside international partners, we are having an impact on those key enablers and the ransomware business model.”

“Cybercriminals who rely on malware like Qakbot to steal private data from innocent victims have been reminded today that they do not operate outside the bounds of the law,” said US Attorney General Merrick B. Garland.

“Together with our international partners, the Justice Department has hacked Qakbot’s infrastructure, launched an aggressive campaign to uninstall the malware from victim computers in the United States and around the world, and seized $8.6 million in extorted funds,” said Garland.

“The FBI led a worldwide joint, sequenced operation that crippled one of the longest-running cybercriminal botnets,” said FBI Director Christopher Wray. “With our federal and international partners, we will continue to systematically target every part of cybercriminal organisations, their facilitators, and their money – including by disrupting and dismantling their ability to use illicit infrastructure to attack us. Today’s success is yet another demonstration of how FBI’s capabilities and strategy are hitting cyber criminals hard, and making the American people safer.”

There was no reports of any actual arrests however, leading to questions about the longevity of the takedown.

Data theft, ransomware

However the takedown was welcomed by a number of cybersecurity experts.

“This takedown should act as a warning to other cybercrime operations that the law is always watching and the chances of getting caught get higher every day,” said Ryan McConechy, CTO of cyber security service provider Barrier Networks.

“Qakbot is a notorious information stealer that has evolved over the last 15 years in tandem with cybercrime activity,” said McConechy. “The malware traditionally focused on stealing information – such as bank details, but more recently it has been coupled with ransomware to gain an initial foothold on organisations. The malware has been spread via phishing emails and HTML files, which have been very difficult to spot to the untrained eye. This has made Qakbot one of the most effective, popular and dangerous threats of the last decade.”

“But, is this the last we will hear of Qakbot?” asked McConechy. “Hopefully yes, but until law enforcement catches the criminals behind the operation, there is still a chance they will resurface again with new and improved infrastructure.”

“As a result, organisations should therefore never use this as an excuse to get complacent with cybersecurity,” said McConechy. “Yes, one major malware variant is out of operation, but thousands of others are still active. Instead, educating staff on cyber threats, keeping systems up to date with patches, and layering security to make it harder for attackers to breach networks must be the focus.”

Banking trojan

Meanwhile Mike Newman, CEO of cloud-based identity service specialist My1Login also welcomed the takedown, saying it is big win for law enforcement because Qakbot is a sophisticated banking trojan that has caused havoc to businesses for years.

“Criminals have used the malware’s backdoor capabilities to install ransomware on target machines, steal passwords by monitoring keystrokes or steal bank information from victims,” said Newman.

“The malware was distributed via phishing, where users were encouraged to open malicious attachments or links before the payload would load on to their machines,” said Newman. “Unless the victim was scanning for the malware, it would often go completely missed, until ransomware was executed, or passwords were stolen from victims.”

“The malware once again highlights the importance of security awareness training among employees, and the need for them to think before they click,” said Newman.

“With the malware also being used to steal corporate passwords, this acts as another reminder of the importance of using a solution to remove credentials from the hands of employees. When employees do not know their passwords, they can’t hand them out to phishing scammers, plus they can’t be stolen via malware that monitors keystrokes, because they don’t have to type them in anywhere.”

Dangerous malware

Tim West, Head of cyber threat intelligence at WithSecure (formerly F-Secure), also said this takedown was a big win, as Qakbot was a dangerous piece of malware.

“Qakbot is (hopefully now: was) an extremely prominent and dangerous malware involved in numerous ransomware cases almost certainly causing significant damage to business, livelihood, and society,” said West.

“As such this news should be celebrated as a huge win for all involved,” said West. “Alluded to in the write ups, a lot of different organisations across different nations were involved in this case, from public to private individuals and organisations and this really demonstrates the power of a cooperation across the ‘goodies’ in the fight against cybercrime.”

“This will almost certainly cause disruption to malicious actors, dent nefarious operations and in an environment where ransomware numbers are seemingly ever-increasing, this success should be celebrated and replicated,” said West. “The only true competition in cyber security is against the adversary. Well done to all involved (named and unnamed).”