FBI takes down cybercriminal Qakbot malware in multinational operation

The Justice Department today announced a multinational operation involving actions in the United States, France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia to disrupt the botnet and malware known as Qakbot and take down its infrastructure. The Qakbot malicious code is being deleted from victim computers, preventing it from doing any more harm. The Department also announced the seizure of approximately $8.6 million in cryptocurrency in illicit profits.
The action represents the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals to commit ransomware, financial fraud, and other cyber-enabled criminal activity.
“Cybercriminals who rely on malware like Qakbot to steal private data from innocent victims have been reminded today that they do not operate outside the bounds of the law,” said Attorney General Merrick B. Garland. “Together with our international partners, the Justice Department has hacked Qakbot’s infrastructure, launched an aggressive campaign to uninstall the malware from victim computers in the United States and around the world, and seized $8.6 million in extorted funds.”
According to court documents, Qakbot, also known by various other names, including “Qbot” and “Pinkslipbot,” is controlled by a cybercriminal organization and used to target critical industries worldwide. The Qakbot malware primarily infects victim computers through spam email messages containing malicious attachments or hyperlinks. Once it has infected a victim computer, Qakbot can deliver additional malware, including ransomware, to the infected computer. Qakbot has been used as an initial means of infection by many prolific ransomware groups in recent years, including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta. The ransomware actors then extort their victims, seeking ransom payments in bitcoin before returning access to the victim computer networks. These ransomware groups have caused significant harm to businesses, healthcare providers, and government agencies all over the world.
“The FBI led a worldwide joint, sequenced operation that crippled one of the longest-running cybercriminal botnets,” said FBI Director Christopher Wray. “With our federal and international partners, we will continue to systematically target every part of cybercriminal organizations, their facilitators, and their money – including by disrupting and dismantling their ability to use illicit infrastructure to attack us. Today’s success is yet another demonstration of how FBI’s capabilities and strategy are hitting cyber criminals hard, and making the American people safer.”
The victim computers infected with Qakbot malware are part of a botnet, which is a network of compromised computers, meaning the perpetrators can remotely control all the infected computers in a coordinated manner. The owners and operators of the victim computers are typically unaware of the infection.
“An international partnership led by Justice Department and the FBI has resulted in the dismantling of Qakbot, one of the most notorious botnets ever, responsible for massive losses to victims around the world,” said U.S. Attorney Martin Estrada for the Central District of California. “Qakbot was the botnet of choice for some of the most infamous ransomware gangs, but we have now taken it out. This operation also has led to the seizure of almost 9 million dollars in cryptocurrency from the Qakbot cybercriminal organization, which will now be made available to victims. My office’s focus is on protecting and vindicating the rights of victims, and this multifaceted attack on computer-enabled crime demonstrates our commitment to safeguarding our nation from harm.”
As part of the takedown, the FBI was able to gain access to Qakbot infrastructure and identify over 700,000 computers worldwide, including more than 200,000 in the United States, that appear to have been infected with Qakbot. To disrupt the botnet, the FBI was able to redirect Qakbot botnet traffic to and through servers controlled by the FBI, which in turn instructed infected computers in the United States and elsewhere to download a file created by law enforcement that would uninstall the Qakbot malware. This uninstaller was designed to untether the victim computer from the Qakbot botnet, preventing further installation of malware through Qakbot.
The scope of this law enforcement action was limited to information installed on the victim computers by the Qakbot actors. It did not extend to remediating other malware already installed on the victim computers and did not involve access to or modification of the information of the owners and users of the infected computers.
Valuable technical assistance was provided by Zscaler. The FBI has partnered with the Cybersecurity and Infrastructure Security Agency, Shadowserver, Microsoft Digital Crimes Unit, the National Cyber Forensics and Training Alliance, and Have I Been Pwned to aid in victim notification and remediation.
The FBI Los Angeles Field Office, the U.S. Attorney’s Office for the Central District of California, and the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) conducted the operation in close cooperation with Eurojust. Investigators and prosecutors from several jurisdictions provided crucial assistance, including Europol, French Police Cybercrime Central Bureau and the Cybercrime Section of the Paris Prosecution Office, Germany’s Federal Criminal Police and General Public Prosecutor’s Office Frankfurt/Main, Netherlands National Police and National Public Prosecution Office, the United Kingdom’s National Crime Agency, Romania’s National Police, and Latvia’s State Police. The Justice Department’s Office of International Affairs and the FBI Milwaukee Field Office provided significant assistance.
CCIPS Trial Attorneys Jessica Peck, Ryan K.J. Dickey, and Benjamin Proctor, and Assistant U.S. Attorneys Khaldoun Shobaki and Lauren Restrepo for the Central District of California led the U.S. efforts.
We have recently deactivated our website's comment provider in favour of other channels of distribution and commentary. We encourage you to join the conversation on our stories via our Facebook, Twitter and other social media pages.
More from Peoples Gazette

Agriculture
FG tasks ECOWAS on leveraging financing strategies for agroecology
The federal government has urged stakeholders in the agriculture and finance sectors in the West Africa region to leverage financing strategies to enhance agroecology practices

Politics
Katsina youths pledge to deliver over 2 million votes to Atiku
“Katsina State is Atiku’s political base because it is his second home.”

Jos
Trader sentenced to prison for stealing trousers in hospital
A Jos Magistrate’s Court on Wednesday sentenced a 26-year-old trader, Ahmed Abdullahi, to nine months in prison for stealing a shirt and trousers from a hospital.

Ibadan
National parks chief hails Tinubu, Makinde for rescue of abducted Oyo students
Ibrahim Goni, the conservator-general of the National Park Service, has commended President Bola Tinubu for the rescue of pupils and teachers abducted in the Oriire council area.

NationWide
Northerners warned against politicising terrorism, banditry
GAPAG has called on various associations in the north to stop politicising insecurity in the country.

Economy
Africa’s prosperity depends on value addition to raw materials, says RMRDC
Nnanyelugo Ike-Muonso, the director-general of the Raw Materials Research and Development Council (RMRDC), disclosed on Tuesday in Abuja.

Opinion
Eugene Itua: Lagos Flooding and the Coastal Highway: Separating facts from fiction
Nigeria needs better conversations about infrastructure. They should ask difficult questions, demand transparency, and insist on rigorous environmental standards.

States
NIPSS boss meets Gbong Gwom, apologises for Berom militia group comment
Mr Omotayo, who visited the paramount ruler tendered an apology for his recent comments on the Berom people.





