LOS ANGELES –
US officials said Tuesday that the FBI and its European partners have infiltrated and taken control of a large global malware network that has been used for a variety of online crimes, including crippling ransomware attacks, for more than 15 years .
They then remotely removed the malicious software agent — known as Qakbot — from thousands of infected computers.
Cybersecurity experts were impressed by the network's deft takedown, but warned that any setback to cybercrime was likely to be temporary.
“Almost every sector of the economy has been victimized by Qakbot,” said Martin Estrada, the US Attorney in Los Angeles, Tuesday as he announced the abolition. He said the criminal network facilitated about 40 ransomware attacks over the course of 18 months alone, earning Qakbot administrators about $58 million, according to investigators.
Qakbot ransomware victims included an Illinois-based engineering firm, financial services organizations in Alabama and Kansas, and a Maryland defense manufacturer and food distribution company in Southern California, Estrada said.
Officials said $8.6 million worth of cybercurrency was seized or frozen, but no arrests were announced.
Estrada said the investigation is still ongoing. He didn't want to say where the administrators of the malware that bundled infected machines into a botnet of zombie computers were located. Cybersecurity researchers say they are likely to be in Russia and/or other former Soviet countries.
Officials estimated that Malware Loader, a digital Swiss Army knife for cybercriminals also known as Pinkslipbot and Qbot, has been exploited as an information-stealing banking Trojan to cause hundreds of millions of dollars in damage since it first appeared in 2008. They said millions of people in almost every country in the world were affected.
Typically distributed via phishing email infections, Qakbot gives criminal hackers initial access to infected computers. They could then deploy additional payloads such as ransomware, steal sensitive information, or gather victim information to facilitate financial fraud and crimes such as tech support and romance scams.
The Qakbot network “literally fed the global cybercrime supply chain,” said Donald Alway, deputy director of the FBI's Los Angeles office, calling it “one of the most devastating cybercrime tools in history.” According to two cybersecurity firms, Qakbot was the most frequently detected malware in the first half of 2023, affecting one in ten corporate networks. It was responsible for about 30 percent of all attacks worldwide. Such “initial access” tools allow blackmail ransomware gangs to skip the first step of penetrating computer networks, making them important intermediaries for the far-flung, mostly Russian-speaking criminals who operate through data theft and disruptions in schools, hospitals, and local governments Wreaked havoc and companies worldwide.
As of Friday, FBI officials along with Europol and law enforcement and judicial partners in France, the United Kingdom, Germany, the Netherlands, Romania and Latvia in an operation dubbed “Duck Hunt” seized more than 50 Qakbot servers and identified more than 700,000 infected computers , more than 200,000 of them in the US, effectively block criminals from their prey.
The FBI then used the seized Qakbot infrastructure to remotely send out updates that wiped the malware from thousands of infected computers. A senior FBI official briefed reporters on the condition that his further identification be kept secret, calling this number “unknown” and warning that other malware may still remain on computers released by Qakbot.
It was the FBI's biggest hit against cybercriminals since it “hacked the hackers” when it took down the prolific Hive ransomware gang in January.
“It's an impressive shutdown. Qakbot was the largest botnet,” said Alex Holden, founder of Milwaukee-based Hold Security. But he said it may have been a victim of its own success in its staggering growth in recent years. “Today, large botnets tend to implode as too many threat actors exploit this data for various types of abuse.”
Sophos cybersecurity expert Chester Wisniewski agreed that while there could be a temporary lull in ransomware attacks, criminals are likely to either revitalize infrastructure elsewhere or migrate to other botnets.
“This will cause major disruption for some gangs in the short term, but restarting won't do anything,” he said. “However, it takes a long time to recruit 700,000 PCs.”