FBI dismantles notorious Qakbot botnet
This botnet had been responsible for at least 40 ransomware attacks globally, causing extensive financial damage, likely in the hundreds of millions of dollars.
Qakbot, also known as Qbot and Pinkslipbot, a notorious and long-running botnet, has been dismantled in a multinational law enforcement operation led by the FBI, named Operation ‘Duck Hunt.’ This botnet had been responsible for at least 40 ransomware attacks globally, causing extensive financial damage, likely in the hundreds of millions of dollars.
This botnet has been available for rent to cybercriminals, enabling them to gain initial unauthorized access to victims’ computer systems and data. Various ransomware groups, including Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, and Black Basta, used it as an initial infection point.
Its targets span a wide range, from financial institutions to vital government contractors in and medical device manufacturers. It is estimated that Qakbot managed to infect more than 700,000 computers, including 200,000 within the United States. This operation also resulted in the seizure of around $9 million in cryptocurrency from the Qakbot cybercriminal group.
Chronology of the operation
The FBI obtained a court warrant to initiate the operation on 21 August. Subsequently, agents successfully penetrated Qakbot’s central computer infrastructure four days later, as officially disclosed by the FBI. This led to the command for the computers in the botnet to cease their connection to Qakbot.
According to Keith Jarvis, a senior researcher at Secureworks, a cybersecurity firm based in Atlanta, most computers infected with Qakbot were likely remedied within the initial hours of the FBI operation.
In a post-announcement media briefing, an unidentified FBI official mentioned that a specific removal tool had been developed for this operation. However, victims will not be informed that their devices have been fixed or that a compromise has occurred.
Who participated in the operation?
The FBI collaborated with international partners, including Europol, the French Police Cybercrime Central Bureau, Germany’s Federal Criminal Police, the Netherlands National Police, the United Kingdom’s National Crime Agency, Romania’s National Police, and Latvia’s State Police. Additionally, they worked alongside organizations like CISA, Shadowserver, Microsoft Digital Crimes Unit, National Cyber Forensics and Training Alliance, and Have I Been Pwned to notify affected parties.