International law enforcement operation disrupts notorious Qakbot malware

LOS ANGELES, Calif. – The U. S. Department of Justice announced a multinational operation to disrupt an infamous botnet and malware known as Qakbot on Tuesday.

The international group involves representatives from the United States, France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia.

The announced operation is the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals to commit ransomware, financial fraud, and other cyber-based criminal activity detail the Department of Justice.

According to the Department of Justice, more than $8.6 million in cryptocurrency has been seized so far and is categorized as illicit profits connected to the malware.

“An international partnership led by Justice Department and the FBI has resulted in the dismantling of Qakbot, one of the most notorious botnets ever, responsible for massive losses to victims around the world,” said United States Attorney Martin Estrada. “Qakbot was the botnet of choice for some of the most infamous ransomware gangs, but we have now taken it out. This operation also has led to the seizure of almost 9 million dollars in cryptocurrency from the Qakbot cybercriminal organization, which will now be made available to victims. My Office’s focus is on protecting and vindicating the rights of victims, and this multifaceted attack on computer-enabled crime demonstrates our commitment to safeguarding our nation from harm.”

Court documents detail that Qakbot, also known as "Qbot" and "Pinkslipbot", is controlled by a cybercriminal organization and used to target critical infrastructure worldwide.

Qakbot malware primarily infects computers through spam email messages containing malicious attachments or hyperlinks relay the Department of Justice.

According to the Department of Justice, once the malware infects a computer, Qakbot can quickly deliver additional malware, including ransomware, and has been used as an initial means of infection from prolific ransomware groups including Conti, ProLock, Egregor, REvil, MegaCrotex, and Black Basta.

The ransomware actors then usually extort their victims by seeking payments in Bitcoin before returning access to the victim's computer networks detail the Department of Justice.

These ransomware groups have targeted private businesses, healthcare providers, and government agencies around the world including a power engineering firm based in Illinois; financial services organizations based in Alabama, Kansas, and Maryland; a defense manufacturer based in Maryland; and a food distribution company in Southern California relay the Department of Justice.

According to the Department of Justice, between October 2021 and April 2023, Qakbot administrators extracted fees corresponding to around $58 million in ransom payments.

The Federal Bureau of Investigation (FBI) was able to gain access to Qakbot infrastructure and identify over 700,000 computers worldwide, including 200,000 in the United States, that appear to have been infected with Qakbot relay the Department of Justice.

These victimized computers are part of a botnet, a network of compromised computers, which perpetrators can use to remotely control all of the infected computers in a coordinated manner unbeknownst to their victims explain the Department of Justice in a press release.

To disrupt the botnet, the FBI redirected the Qakbot botnet traffic to and through servers controlled by the FBI which instructed infected computers to download a file created by law enforcement that would uninstall the Qakbot malware detail the Department of Justice.

According to the Department of Justice, the scope of this law enforcement action was limited to information installed on the victim computers by the Qakbot actors only and did not extend to other malware already installed on the targeted computers.

Additional information and resources for those impacted by Qakbot malware can be found here.