Qakbot, one of the largest and longest-running botnets to date, was taken down following a multinational law enforcement operation spearheaded by the FBI and known as Operation ‘Duck Hunt.’
The botnet (also known as Qbot and Pinkslipbot) was linked by law enforcement to at least 40 ransomware attacks against companies, healthcare providers, and government agencies worldwide, causing hundreds of millions of dollars in damage, according to conservative estimates. Over the past 18 months alone, losses have surpassed 58 million dollars.
Throughout the years, Qakbot has consistently served as an initial infection vector for various ransomware gangs and their affiliates or operators, including Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, and, most recently, Black Basta.
“The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast,” FBI Director Christopher Wray said.
“This botnet provided cybercriminals like these with a command-and-control infrastructure consisting of hundreds of thousands of computers used to carry out attacks against individuals and businesses all around the globe.”
The FBI dismantled Qakbot’s infrastructure after it infected over 700,000 computers (over 200,000 in the United States).
FBI agents redirected Qakbot traffic to servers controlled by the agency after gaining access to its command-and-control servers on Friday night.
This strategic access allowed the FBI to deploy an uninstaller to compromised devices across the globe, clearing the infection and preventing the deployment of additional malicious payloads.
“The scope of this law enforcement action was limited to information installed on the victim computers by the Qakbot actors,” the Justice Department said in a press release today.
“It did not extend to remediating other malware already installed on the victim computers and did not involve access to or modification of the information of the owners and users of the infected computers.”
The list of partners the FBI worked with throughout this joint operation includes Europol, French Police Cybercrime Central Bureau and the Cybercrime Section of the Paris Prosecution Office, Germany’s Federal Criminal Police and General Public Prosecutor’s Office Frankfurt/Main, Netherlands National Police and National Public Prosecution Office, the United Kingdom’s National Crime Agency, Romania’s National Police, and Latvia’s State Police.
The FBI also worked with CISA, Shadowserver, the Microsoft Digital Crimes Unit, the National Cyber Forensics and Training Alliance, and Have I Been Pwned to notify victims.
The operation was coordinated by the FBI’s Los Angeles Field Office, the U.S. Attorney’s Office for the Central District of California, and the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS), in cooperation with Eurojust.
“Qakbot was the botnet of choice for some of the most infamous ransomware gangs, but we have now taken it out. This operation also has led to the seizure of almost 9 million dollars in cryptocurrency from the Qakbot cybercriminal organization, which will now be made available to victims,” said U.S. Attorney Martin Estrada.
In May, cybersecurity and intelligence agencies from all Five Eyes member nations also took down the Snake peer-to-peer botnet operated by Russia’s Federal Security Service (FSB) and linked to the notorious Turla hacking group.