Qakbot botnet disrupted, malware removed from 700,000+ victim computers

The Qakbot botnet has been crippled by the US Department of Justice (DOJ): 52 of its servers have been seized and the popular malware loader has been removed from over 700,000 victim computers around the world.

“To disrupt the botnet, the FBI was able to redirect Qakbot botnet traffic to and through servers controlled by the FBI, which in turn instructed infected computers in the United States and elsewhere to download a file created by law enforcement that would uninstall the Qakbot malware. This uninstaller was designed to untether the victim computer from the Qakbot botnet, preventing further installation of malware through Qakbot,” the Department explained.

What is Qakbot?

Qakbot, also known as Qbot or Pinkslipbot, is usually delivered to potential victims via spam email messages containing malicious attachments and/or links. Its main purpose is to deliver additional malware to the infected computer.

“Qakbot has been used as an initial means of infection by many prolific ransomware groups in recent years, including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta,” the DOJ noted.

“These ransomware groups caused significant harm to businesses, healthcare providers, and government agencies all over the world, including to a power engineering firm based in Illinois; financial services organizations based in Alabama, Kansas, and Maryland; a defense manufacturer based in Maryland; and a food distribution company in Southern California. Investigators have found evidence that, between October 2021 and April 2023, Qakbot administrators received fees corresponding to approximately $58 million in ransoms paid by victims.”

Victims usually don’t notice a Qakbot infection.

Qakbot malware removed from infected computers

According to the DOJ, 200,000 of the infected computers are located in the US, the rest worldwide, including in the countries whose law enforcement agencies have also been involved in the operation: France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia.

“The Operation ‘Duck Hunt’ Team utilized their expertise in science and technology, but also relied on their ingenuity and passion to identify and cripple Qakbot, a highly structured and multi-layered bot network that was literally feeding the global cybercrime supply chain,” said Donald Alway, the Assistant Director in Charge of the FBI’s Los Angeles Field Office. “These actions will prevent an untold number of cyberattacks at all levels, from the compromised personal computer to a catastrophic attack on our critical infrastructure.”

The Qakbot uninstaller delivered to the victims will remove that particular malware from the infected computers, but can’t delete other malware that may be installed on them (whether installed by Qakbot or not).

“As a result of this operation, the FBI and the Dutch National Police have identified numerous account credentials that were compromised by the Qakbot actors,” the DOJ noted, and pointed users towards the Have I Been Pwned service and a website set up by the Dutch National Police that may reveal whether their email account credentials have been harvested by the Qakbot operators.

As part of this action, the DOJ also seized more than $8.6 million in cryptocurrency from 20 wallets controlled by the Qakbot cybercriminal organization.

“The FBI has gained access to portions of the Qakbot computer infrastructure, including the Qakbot Admin Computers. On one such computer used by a Qakbot administrator, the FBI located many files related to the operation of the Qakbot botnet. Those files included communications (e.g., chats) between the Qakbot administrators and co-conspirators and a directory containing several files holding information about virtual currency wallets,” it has been explained in the FBI application for a warrant for the seizure of these funds.

The FBI said they’ve also found a file that contained a list of ransomware victims, details about the ransomware group, computer system details, dates, and an indication of the amount of bitcoin paid to the Qakbot administrators in connection with the ransomware attack.

UPDATE (August 30, 2023, 08:00 a.m. ET):

Read up on the technical aspects of FBI’s clean-up effort and what comes next.