Today, the Justice Department announced a coordinated international effort to shut down the botnet and malware known as Qakbot. This effort will involve the United States, France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia. Infected PCs are having the harmful Qakbot code removed, stopping further damage.
The Department of Justice also revealed that they had recovered unlawful proceeds worth about $8.6 million in cryptocurrencies.
This is the largest financial and technological disruption of a botnet infrastructure used by cybercriminals for ransomware, financial fraud, and other cyber-enabled criminal behavior, and it was spearheaded by the United States.
A reminder was sent today to cybercriminals using malware like Qakbot to steal private data from innocent victims, said Attorney General Merrick B. Garland. The Justice Department, in conjunction with its international partners, “hacked Qakbot’s infrastructure,” “launched an aggressive campaign to uninstall the malware from victim computers in the United States and around the world,” and “seized $8.6 million in extorted funds.”
Qakbot, also known as “Qbot” and “Pinkslipbot,” is allegedly operated by a cybercriminal group and used to attack important industries around the world, as evidenced by court filings. Typically, Qakbot infects PCs when a user opens a spam email that has a malicious attachment or link. Once Qakbot infects a computer, it can spread to other systems and install other malware, including ransomware. Ransomware families like Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta have all exploited Qakbot as their primary attack vector in recent years.
The perpetrators of ransomware blackmail their victims by demanding bitcoin payments before restoring access to their systems. Companies, hospitals, and government institutions all throughout the world have been hit hard by these ransomware gangs.
According to FBI Director Christopher Wray, “the FBI led a worldwide joint, sequenced operation that crippled one of the longest-running cybercriminal botnets.” Cybercriminal organizations, their enablers, and the money they use to fund their activities will continue to be methodically targeted by the United States government and its foreign and domestic allies. The results of today’s operation show once again that the FBI’s resources and approach are effectively combating cybercrime and increasing public safety.
Qakbot infected systems are part of a botnet, or network of compromised computers, which allows the attackers to command and manage the entire network from a central location. The infected computer’s owner or operator usually has no idea it’s infected.
“An international partnership led by the Justice Department and the FBI has resulted in the dismantling of Qakbot, one of the most notorious botnets ever, responsible for massive losses to victims around the world,” said U.S. Attorney Martin Estrada for the Central District of California. Some of the most notorious ransomware groups used the Qakbot botnet, but we were able to knock it down.
In addition, about $9 million in bitcoin belonging to the Qakbot cybercriminal group was seized as part of this operation and will now be made available to victims. The mission of my office is to defend the rights of those who have been wronged, and this multipronged assault on cybercrime shows how seriously we take the protection of the American people from threats to the digital realm.
During the takedown, the FBI gained access to the Qakbot infrastructure and found that the malware had infected over 700,000 systems globally, including over 200,000 in the United States alone. Forcing afflicted computers in the United States and overseas to download a file generated by law enforcement that would remove the Qakbot virus, the FBI was able to break the botnet by rerouting Qakbot botnet traffic through servers controlled by the FBI. The purpose of this uninstaller is to remove Qakbot from the victim’s PC and stop any additional malware from being installed by the botnet.
The material planted on victim computers by the Qakbot actors was the exclusive target of this law enforcement operation. It did not include removing additional malware from the compromised machines or gaining access to or changing the data of the machines’ owners or users.
Zscaler gave invaluable technical support. In order to better assist with victim notification and remediation, the FBI has formed partnerships with organizations including Shadowserver, Microsoft’s Digital Crimes Unit, the National Cyber Forensics and Training Alliance, and Have I Been Pwned.
The operation was carried out by the Los Angeles Field Office of the FBI, the U.S. Attorney’s Office for the Central District of California, and the Computer Crime and Intellectual Property Section (CCIPS) of the Criminal Division, in conjunction with Eurojust. Europol, the French Cybercrime Central Bureau and the Cybercrime Section of the Paris Prosecution Office, the German Federal Criminal Police and the General Public Prosecutor’s Office Frankfurt/Main, the Dutch National Police and the National Public Prosecutor’s Office, the UK National Crime Agency, the Romanian National Police, the Latvian State Police, and the German Federal Criminal Police all contributed significantly to the investigation.
Significant support was supplied by the FBI Milwaukee Field Office and the Justice Department’s Office of International Affairs.
The United States was represented by CCIPS Trial Attorneys Jessica Peck, Ryan K.J. Dickey, and Benjamin Proctor, as well as Central District of California Assistant U.S. Attorneys Khaldoun Shobaki and Lauren Restrepo.
Additional information and resources, including those for victims, can be accessed at www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources, which will be updated as new information and resources become available.