FBI Takes Down Qakbot Malware Infrastructure

August 30, 2023 - The Federal Bureau of Investigation (FBI) and international partners successfully disrupted Qakbot, a botnet and malware operation that was leveraged by threat actors to infect hundreds of thousands of computers worldwide.

In addition to disrupting the botnet, the DOJ seized more than $8.6 million in cryptocurrency from Qakbot operators and identified 700,000 infected computers worldwide, including 200,000 in the US alone.

"The FBI neutralized this far-reaching criminal supply chain, cutting it off at the knees," said FBI Director Christopher Wray in a press release. "The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast."

Created in 2008, Qakbot has been used in ransomware attacks across the world, incurring hundreds of millions in losses for victim individuals and businesses. Qakbot typically infected victim computers via spam emails, enticing victims to click on malicious links.

"This botnet provided cybercriminals like these with a command-and-control infrastructure consisting of hundreds of thousands of computers used to carry out attacks against individuals and businesses all around the globe," Wray noted.

Qakbot was one of the top malware threats of 2021, according to the Cybersecurity and Infrastructure Security Agency (CISA). What’s more, BlackBerry identified Qakbot as one of the most popular Trojans used against healthcare in Q4 2022.

“To disrupt the botnet, the FBI was able to redirect Qakbot botnet traffic to and through servers controlled by the FBI, which in turn instructed infected computers in the United States and elsewhere to download a file created by law enforcement that would uninstall the Qakbot malware,” the Department of Justice (DOJ) stated.

“This uninstaller was designed to untether the victim computer from the Qakbot botnet, preventing further installation of malware through Qakbot.”

Investigators calculated that Qakbot operators received ransoms amounting to $58 million between October 2021 and April 2023, taking funds from healthcare organizations, government agencies, and financial institutions.

Taking down a notorious malware operation is another big win for the security community, especially following the DOJ’s successful disruption of Hive ransomware in January 2023. Even so, ransomware remains an international threat.

"Ransomware is a major national security challenge that we have to take as seriously as threats from nation-states, like Russia or North Korea. The underpinnings of this business model are solid and this problem is not going away anytime soon,” said Sandra Joyce, VP at Mandiant Intelligence – Google Cloud.

“Many of the tools we have at our disposal aren't going to have long-lasting effects. These groups will recover and they will be back. But we have a moral obligation to disrupt these operations whenever possible."

Cybersecurity agencies worldwide will likely continue to take down major cybercriminal operations one by one as they work to improve prevention and detection.

"The cyber threat facing our nation is growing more dangerous and complex every day. But our success proves that our own network and our own capabilities are more powerful,” Wray concluded.