US investigators say they’ve dealt a serious blow to the ransomware scourge by taking down a notorious botnet known as Qakbot.
On Tuesday, the Justice Department and FBI announced they had dismantled Qakbot by securing a search warrant to essentially hijack the servers that controlled the botnet. Federal agents then forced the botnet to circulate an uninstaller to thousands of computers infected with Qakbot, removing the malicious program.
During their investigation, federal agents noticed Qakbot controlling 700,000 infected computers, about 200,000 of which were based in the US.
Qakbot, also known as Qbot, first began as a Windows-based Trojan designed to steal access to users’ bank account information when it was first spotted around 2008. It can typically spread through malicious attachments in phishing emails.
In addition, the malware was also designed to form a botnet, or an army of infected computers, capable of receiving commands from hacker-controlled servers. As a result, the creators of Qakbot were able to sell access to their infected computers to other cybercriminals groups.
The cybercriminal groups could then steal data from the infected computers or launch ransomware on them. US investigators and security researchers have linked Qakbot to several ransomware gangs including Conti, Black Basta, Royal, Revil, and Lockbit, among others. In return, the unknown operators of Qakbot pulled in fees linked to about $58 million in ransoms paid by victims. Meanwhile, total victim losses from the botnet's activities are likely in the hundreds of millions of dollars.
“Qakbot was the botnet of choice for some of the most infamous ransomware gangs, but we have now taken it out,” US Attorney Martin Estrada said in the announcement.
So far, the US hasn’t offered details on how it hijacked and neutralized Qakbot. But in a statement, the Justice Department noted: “The FBI was able to redirect Qakbot botnet traffic to and through servers controlled by the FBI, which in turn instructed infected computers in the United States and elsewhere to download a file created by law enforcement that would uninstall the Qakbot malware.”
During the takedown, federal agents also seized $8.6 million from the Qakbot group, which will be redistributed to ransomware victims. The Justice Department added that the search warrant it used to dismantle the botnet only permitted the FBI to remove the Qakbot malware from infected computers, not to perform any other actions.
Federal officials wouldn't say if they've identified the individuals who ran Qakbot. They would only note the investigation remains ongoing. However, the US doesn't expect the botnet to return anytime soon. With the help of law enforcement in Europe, Federal agents have also seized 52 servers to prevent the Qakbot from resurrecting.
Another 6.5 million stolen login credentials from victims was also uncovered. "The FBI has partnered with the Cybersecurity and Infrastructure Security Agency, Shadowserver, Microsoft Digital Crimes Unit, the National Cyber Forensics and Training Alliance, and Have I Been Pwned to aid in victim notification and remediation," the agency added.