Notorious botnet Qakbot, which has been used by some of the world’s most prolific ransomware gangs to launch attacks, has been taken down by the FBI in conjunction with police in the UK and Germany. The botnet had infected more than 700,000 devices worldwide and the FBI says it has seized cryptocurrency worth $8.6m as part of the raid. Security researchers have welcomed the news, describing Qakbot as “a ticking bomb” in the hands of cybercriminals.
Law enforcement agencies in the Netherlands, Romania and Latvia also participated in Monday’s bust.
How the FBI sent Qakbot to the bottom of the pond
The FBI says it gained access to Qakbot’s network and was able to redirect traffic to bureau-controlled servers that instructed the 700,000 infected computers to download an uninstaller file. This untethered infected computers from the botnet and prevented the installation of any additional malware.
“The FBI neutralised this far-reaching criminal supply chain, cutting it off at the knees,” said FBI director Christopher Wray. “The victims ranged from financial institutions on the east coast to a critical infrastructure government contractor in the midwest to a medical device manufacturer on the west coast.”
The botnet was used by numerous ransomware gangs including REvil, Ryuk and Black Basta. Bogdan Botezatu, director of threat research at security company Bitdefender, says Qakbot was a “ticking bomb” that had “been a pest” for the past decade. “It was very modular, very effective and quite versatile, some sort of a Swiss army knife of the cyber-underground,” Botezatu says. “Personally, I’m very happy with the news.”
Qakbot was primarily spread through spam emails, delivering additional malware, including ransomware. Other groups known to have used it include ProLock, Egregor and MegaCortex, according to a report by security company Reliaquest. It has been deployed to launch attacks on businesses and public sector organisations.
Researchers often felt they were playing a game of cat and mouse to try to take Qakbot offline, explains John Fokker, head of threat intelligence at Trellix Advanced Research Centre. “It was constantly evolving, adding new features, and finding new ways to evade detection, always skirting true take down, until now,” Fokker says. “It is great news that the FBI and partners were able to disrupt this very persistent botnet and hopefully it will stay offline for good.”
The process of taking down the botnet will not have been simple, Fokker says. “Combating cybercrime takes a respectable amount of dedication and collaboration to pull apart the intricacies of ransomware infrastructures,” he adds. “The increase in takedowns and arrests shows that cybercriminals need to watch their backs.”
FBI continues its assault on cybercriminals
Trellix’s Fokker says more similar operations are likely to be imminent, as the FBI has been active in its efforts to stop cybercriminals in recent weeks. Earlier this month, illegal web hosting service Lolek Hosted was taken down, having allegedly been used to distribute malware and help launch multiple distributed denial of service attacks.
In April, dark web marketplace Genesis, where criminals could buy and sell stolen information on 80 million people, was taken offline in a global sting that involved officers from the UK NCA, the FBI and the Dutch National Police Corps. This led to the arrest of 120 people.
In January, ransomware gang Hive’s online infrastructure was seized in a sting led by the FBI and Europol. Officers obtained encryption keys that could help victims of the group retrieve stolen data and avoid paying ransoms totalling more than $100m. The dark web blog site for the gang was replaced with a seizure notice that said, “This hidden site has been seized. The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action.”