Jump to content

FBI, Partners Dismantle Qakbot ... Cyber Takedown


David H. Lipman

Recommended Posts

FBI, Partners Dismantle Qakbot Infrastructure in Multinational Cyber Takedown

Spoiler

 

Quote

On August 29, the FBI and the Justice Department announced a multinational operation to disrupt and dismantle the malware and botnet known as Qakbot.   
 
The action, which took place in the U.S., France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom, represents one of the largest U.S.-led disruptions of a botnet infrastructure used by cybercriminals to commit ransomware, financial fraud, and other cyber-enabled criminal activity.  
 
"The FBI neutralized this far-reaching criminal supply chain, cutting it off at the knees," said FBI Director Christopher Wray. "The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast."

 

Botnet Attack, illustration

“The FBI neutralized this far-reaching criminal supply chain, cutting it off at the knees.”

FBI Director Christopher Wray

How the Malware Worked 
 
The Qakbot malware infected victim computers primarily through spam emails that contained malicious attachments or links.  
 
After a user downloaded or clicked the content, Qakbot delivered additional malware—including ransomware—to their computer. The computer also became part of a botnet (a network of compromised computers) and could be controlled remotely by botnet users. All the while, a Qakbot victim was typically unaware that their computer had been infected. 
 
Since its creation in 2008, Qakbot malware has been used in ransomware attacks and other cybercrimes that caused hundreds of millions of dollars in losses to individuals and businesses in the U.S. and abroad. 

"This botnet provided cybercriminals like these with a command-and-control infrastructure consisting of hundreds of thousands of computers used to carry out attacks against individuals and businesses all around the globe," Wray said. 

 

Disrupting the Duck 
 
As part of the operation, the FBI gained lawful access to Qakbot’s infrastructure and identified over 700,000 infected computers worldwide—including more than 200,000 in the U.S.  
 
To disrupt the botnet, the FBI redirected Qakbot traffic to Bureau-controlled servers that instructed infected computers to download an uninstaller file. This uninstaller—created to remove the Qakbot malware—untethered infected computers from the botnet and prevented the installation of any additional malware. 
 
"All of this was made possible by the dedicated work of FBI Los Angeles, our Cyber Division at FBI Headquarters, and our partners, both here at home and overseas," said Wray. "The cyber threat facing our nation is growing more dangerous and complex every day. But our success proves that our own network and our own capabilities are more powerful."

Qakbot botnet dismantled after infecting over 700,000 computers

 

Quote

Qakbot, one of the largest and longest-running botnets to date, was taken down following a multinational law enforcement operation spearheaded by the FBI and known as Operation 'Duck Hunt.'

The botnet (also known as Qbot and Pinkslipbot) was linked by law enforcement to at least 40 ransomware attacks against companies, healthcare providers, and government agencies worldwide, causing hundreds of millions of dollars in damage, according to conservative estimates. Over the past 18 months alone, losses have surpassed 58 million dollars.

Throughout the years, Qakbot has consistently served as an initial infection vector for various ransomware gangs and their affiliates or operators, including Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, and, most recently, Black Basta.

"The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast," FBI Director Christopher Wray said.

"This botnet provided cybercriminals like these with a command-and-control infrastructure consisting of hundreds of thousands of computers used to carry out attacks against individuals and businesses all around the globe."

Taken down after taking control of Qakbot admin's PC

The FBI dismantled Qakbot after it infected over 700,000 computers (over 200,000 in the United States) after infiltrating parts of the botnet's infrastructure, including one of the computers used by a Qakbort admin.

"On one such computer used by a Qakbot administrator, the FBI located many files related to the operation of the Qakbot botnet. Those files included communications (e.g., chats discussed in detail below) between the Qakbot administrators and co-conspirators and a directory containing several files holding information about virtual currency wallets," according to court documents.

"A different file, found elsewhere on the same computer, named 'payments.txt,' contained a list of ransomware victims, details about the ransomware group, computer system details, dates, and an indication of the amount of BTC paid to the Qakbot administrators in connection with the ransomware attack."

On Friday night, they redirected Qakbot traffic to servers controlled by the agency, which provided the FBI with the access needed to deploy an uninstaller to compromised devices across the globe, clearing the infection and preventing the deployment of additional malicious payloads.

While victims received no notification when the uninstaller was executed to remove the malware from their systems, the FBI notified them using IP address and routing information collected from the victims' computers when deploying the removal tool.

Furthermore, people can check if their devices were infected by submitting their email addresses on Have I Been Pwned or the Dutch National Police websites.

"The scope of this law enforcement action was limited to information installed on the victim computers by the Qakbot actors," the Justice Department said in a press release today.

"It did not extend to remediating other malware already installed on the victim computers and did not involve access to or modification of the information of the owners and users of the infected computers."

The list of partners the FBI worked with throughout this joint operation includes Europol, French Police Cybercrime Central Bureau and the Cybercrime Section of the Paris Prosecution Office, Germany's Federal Criminal Police and General Public Prosecutor's Office Frankfurt/Main, Netherlands National Police and National Public Prosecution Office, the United Kingdom's National Crime Agency, Romania's National Police, and Latvia's State Police.

The FBI also worked with CISA, Shadowserver, the Microsoft Digital Crimes Unit, the National Cyber Forensics and Training Alliance, and Have I Been Pwned to notify victims.

The operation was coordinated by the FBI's Los Angeles Field Office, the U.S. Attorney's Office for the Central District of California, and the Criminal Division's Computer Crime and Intellectual Property Section (CCIPS), in cooperation with Eurojust.

"Qakbot was the botnet of choice for some of the most infamous ransomware gangs, but we have now taken it out. This operation also has led to the seizure of almost 9 million dollars in cryptocurrency from the Qakbot cybercriminal organization, which will now be made available to victims," said U.S. Attorney Martin Estrada.

In May, cybersecurity and intelligence agencies from all Five Eyes member nations also took down the Snake peer-to-peer botnet operated by Russia's Federal Security Service (FSB) and linked to the notorious Turla hacking group.

 

Edited by David H. Lipman
Edited for content, clarity, spelling and/or grammar
  • Like 4
Link to post
Share on other sites

YEAH!!!!!

"To disrupt the botnet, the FBI redirected Qakbot traffic to Bureau-controlled servers that instructed infected computers to download an uninstaller file. This uninstaller—created to remove the Qakbot malware—untethered infected computers from the botnet and prevented the installation of any additional malware. "

Edited by NewTricks
clarity
Link to post
Share on other sites

  • David H. Lipman changed the title to FBI, Partners Dismantle Qakbot ... Cyber Takedown

Data From The Qakbot Malware is Now Searchable in Have I Been Pwned, Courtesy of the FBI

EDIT:

96d2d953-9192-49f5-9606-9e3cfedcc59f.thumb.jpg.fffddcc183db3906cff58d6fd8fb4eff.jpg

 

929b941d-ada4-4001-9623-bafeb437264f.jpg.caf311bb9e3d21445c02cda4f6d55cd7.jpg

 

So the QAKbot is considered a sensitive breach and thus going to the website will not show in the list when you enter an email address.  You would have to register to receive an email notification if that address was found in that list.

 

Edited by David H. Lipman
Edited for content, clarity, spelling and/or grammar
  • Like 3
Link to post
Share on other sites

On 8/29/2023 at 6:32 PM, David H. Lipman said:

You would have to register

Should we use the NOTIFY ME drop down?  on that site, or somewhere else? I am already registered my addresses and discovered if I mistakenly duplicated one, I received a message saying: "You have already registered this address."

Thank you for your patience.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.