The United States FBI and the Justice Department have announced a multinational operation involving actions in the US, France, Germany, the Netherlands, the UK, Romania, and Latvia to disrupt the botnet and malware known as Qakbot, taking down its infrastructure. The action represents the largest US-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals to commit ransomware, financial fraud, and other cybercriminal activity.
The Qakbot malware – also known by various names including “Qbot” and “Pinkslipbot” – infected victims’ computers primarily through spam emails that contained malicious attachments or links. Since its creation in 2008, Qakbot malware has been used in ransomware attacks and other cybercrimes that caused hundreds of millions of dollars in losses to individuals and businesses in the US and abroad. In recent years, Qakbot become the botnet of choice for some of the most infamous ransomware gangs including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta. Qakbot administrators have reportedly received fees corresponding to approximately $58 million in ransoms paid by victims.
FBI redirected Qakbot botnet traffic to and through controlled servers
The FBI said it gained access to Qakbot infrastructure and identified more than 700,000 computers worldwide, including more than 200,000 in the US, that appear to have been infected with Qakbot. To disrupt the botnet, the FBI redirected Qakbot botnet traffic to and through servers controlled by the FBI, which in turn instructed infected computers in the US and elsewhere to download a file created by law enforcement that would uninstall the Qakbot malware. This uninstaller was designed to untether the victim computer from the Qakbot botnet, preventing further installation of malware through Qakbot.
The Department of Justice also announced the seizure of more than $8.6 million in cryptocurrency from the Qakbot cybercriminal organization, which will now be made available to victims. “The FBI neutralized this far-reaching criminal supply chain, cutting it off at the knees,” said FBI director Christopher Wray. “The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast.”
The FBI has partnered with the US Cybersecurity and Infrastructure Security Agency (CISA), Shadowserver, Microsoft Digital Crimes Unit, the National Cyber Forensics and Training Alliance, and Have I Been Pwned to aid in victim notification and remediation.
Qakbot malware data searchable via Have I Been Pwned
Qakbot malware data is now searchable on the Have I Been Pwned site, wrote founder Troy Hunt. “These are now all searchable in HIBP albeit with the incident is flagged as ‘sensitive.’ So, you’ll need to verify you control the email address via the notification service first, or you can search any domains you control via the domain search feature.” Further, the passwords from the malware will shortly be searchable in the Pwned Passwords service, which can either be checked online or via the API, Hunt added.
Operation likely to have significant short-term effect on cybercriminal groups
“The recent law enforcement operation targeting Qakbot will likely have a significant short-term effect (one to three months) on the activities associated with many cybercriminal groups,” Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest, tells CSO. “Many high-profile ransomware groups are known to favor using Qakbot to facilitate initial access to targeted organizations. With the disruption to Qakbot, it’s likely that such groups will have to pivot to other, less favored methods of gaining access to targeted organizations.”
What the future holds for Qakbot is unclear, he adds. “Other malware families – notably the Emotet botnet – were previously targeted by law enforcement activity and shut down for extended periods of time, before returning.” In terms of the landscape for malware loaders, ReliaQuest recently observed that Qakbot was one of three loaders that, in total, accounted for 80% of incidents in which a malware loader were observed. “The other two most commonly used loaders were SocGholish and RaspBerry Robin. It’s realistically possible that criminal groups known to favor use of Qakbot will pivot to these capable loaders.”
How to avoid Qakbot and other botnet malware infections
Guidance for those impacted by incidents involving Qakbot is the same tried-and-tested advice given after previous malware incidents, according to Hunt:
- Keep security software such as antivirus up to date with current definitions.
- If you’re reusing passwords across services, get a password manager and change them to be strong and unique.
- Enable multifactor authentication where supported, at least for your most important services.
For administrators with affected users, CISA has a report that explains the malware in more detail, including links to YARA rules to help identify the presence of the malware within your network.