The FBI on Tuesday announced a successful multinational operation to take down a cybercrime ring known as “Qakbot.” The gang used an enormous botnet to spread ransomware through spam emails, inflicting hundreds of millions of dollars in damage on computer users around the world.
“The FBI neutralized this far-reaching criminal supply chain, cutting it off at the knees. The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast,” said FBI Director Christopher Wray.
The FBI described Operation Duck Hunt – which spanned the United States, United Kingdom, Europe, and Eastern Europe – as “one of the largest U.S.-led disruptions of a botnet infrastructure used by cybercriminals to commit ransomware, financial fraud, and other cyber-enabled criminal activity.”
Qakbot was a botnet, a large number of infected computers working secretly at the command of cyber-criminals to pump out emails laced with malicious code. Unsuspecting users who opened the attachments on these emails became infected, adding their computers to the botnet.
The Biden administration assures Americans that cyberattacks "are here to stay" and "will intensify." https://t.co/oV9w1EoIub
— Breitbart News (@BreitbartNews) June 7, 2021
Once Qakbot opened a doorway into computer systems, its controllers could slip many other forms of malware into the infected networks. Many of the victims had no idea their computer was infected by malware and was under the remote control of criminals. Others were attacked with ransomware, a form of computer virus that locks down the data in a computer system unless a ransom is paid to the hackers.
Qakbot, which has existed since 2008, was one of the oldest and most complicated botnet platforms for launching ransomware attacks. The botnet evolved from a “trojan” virus known as Qbot or Pinkslipbot that began infiltrating banking computer systems in 2007. On Tuesday, the FBI said over 700,000 computers were infected with Qakbot viruses, 200,000 of them in the United States.
Cybersecurity researchers said the creators of the botnet have leased it to various criminal organizations, including a highly active Russian ransomware gang called “Black Basta.” Qakbot has been the most popular delivery system for various forms of malware for several years.
According to U.S. Attorney for the Southern District of California Martin Estrada, Qakbot was involved in at least 40 ransomware attacks over the past 18 months, with collective damages of over $58 million.
The Justice Department seized more than 50 Internet servers involved in distributing and controlling Qakbot, and recovered almost $9 million in cryptocurrency ransom payments, along with over 6.5 million stolen passwords and other identification data. Cybersecurity experts said criminal gangs using Qakbot harvested at least $58 million in ransom over the past two years.
Ransomware attacks have become a growing issue in recent years, now a new report claims that hackers cost schools $3.56 billion in losses and downtime in just 2021. https://t.co/GDzgt3sZCP
— Breitbart News (@BreitbartNews) June 28, 2022
Department of Justice (DOJ) investigators managed to take control of the botnet in August and began routing its traffic into the FBI’s servers, which helped identify both the controllers of the network and most of their victims. The FBI provided victims with a program that would uninstall the Qakbot malware and disconnect their computers from the botnet, although other malware loaded into their systems through Qakbot had to be addressed separately.
DOJ did not name any suspects, but private security experts believe there are two “actors” – either individuals or hacker groups – in charge of distributing and managing the Qakbot network for their ransomware-spreading criminal clients. These actors, known as “Gold Lagoon” and “Mallard Spider,” have been vigorously updating and refining Qakbot over the past 15 years. The virus mutated rapidly in response to defensive actions taken by software vendors like Microsoft, making it a persistent and elusive threat.
“All of this was made possible by the dedicated work of FBI Los Angeles, our Cyber Division at FBI Headquarters, and our partners, both here at home and overseas,” Wray said.
“The cyber threat facing our nation is growing more dangerous and complex every day. But our success proves that our own network and our own capabilities are more powerful,” he said.