“The Qakbot malicious code is being deleted from victim computers, preventing it from doing any more harm,” the U.S. Department of Justice (DOJ) announced.
Attorney General Merrick B. Garland said that the DOJ, together with its international partners, “has hacked Qakbot’s infrastructure, launched an aggressive campaign to uninstall the malware from victim computers in the U.S. and around the world, and seized US$8.6 million in extorted funds.”
The operation, dubbed “Duck Hunt,” which took place in the U.S., France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom, “represents one of the largest U.S.-led disruptions of a botnet infrastructure used by cybercriminals to commit ransomware, financial fraud, and other cyber-enabled criminal activity,” according to the FBI.
“The FBI led a worldwide joint, sequenced operation that crippled one of the longest-running cybercriminal botnets,” said FBI Director Christopher Wray.
He stressed that the victims ranged from financial institutions on the East Coast to a vital infrastructure government contractor in the Midwest to a medical device maker on the West Coast.
According to court filings, Qakbot, also known as “Qbot” and “Pinkslipbot,” is operated by a cybercriminal group and is used to attack “critical industries” globally. Once a target computer has been compromised, the malware can distribute more software, including ransomware, to the affected machine.
Many prolific ransomware gangs, including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta, have employed Qakbot as an initial form of infection in recent years, the DOJ stated.
It said that the ransomware operators then extort their victims, demanding bitcoin ransom payments before restoring access to the victim’s computers.
“These ransomware groups have caused significant harm to businesses, healthcare providers, and government agencies all over the world,” according to the DOJ.
The FBI emphasized that, since 2008, when it was created, Qakbot has been used in ransomware attacks and other cybercrimes that have resulted in hundreds of millions of dollars in damages to people and businesses in the U.S. and throughout the world.
As part of the “Duck Hunt” operation, the FBI got legitimate access to Qakbot’s infrastructure and identified over 700,000 infected computers globally, including more than 200,000 in the U.S.
“To disrupt the botnet, the FBI redirected Qakbot traffic to Bureau-controlled servers that instructed infected computers to download an uninstaller file. This uninstaller – created to remove the Qakbot malware – untethered infected computers from the botnet and prevented the installation of any additional malware.”
European law enforcement agencies – Eurojust and Europol, aided the investigation and played a critical role in fostering cross-border cooperation on the action day.
Eurojust stated that it actively facilitated cross-border judicial cooperation amongst the concerned national agencies, whilst Europol enabled information sharing, supported operational activity coordination, and sponsored operational meetings.
“As a result of this operation, the FBI and the Dutch National Police have identified numerous account credentials compromised by the Qakbot organization,” according to Eurojust.