The FBI has announced a takedown operation to disrupt the infamous ‘Qakbot’ malware network widely used by hackers involved in stealing millions from unsuspecting users.
Qakbot malware infected more than 700,000 computers around the world and was used to commit ransomware attacks and financial fraud, officials said Tuesday.
Qakbot is believed to have originated in Russia over a decade ago and is often distributed through booby-trap emails that infect devices and embed them in the network without the victim’s knowledge.
Using a page from the hacker playbook, the FBI was able to surreptitiously reroute the network’s traffic through government-controlled servers and, with court approval, remotely remove the Qakbot malware from victims’ devices, dislodging them of the botnet.
A senior FBI official told DailyMail.com that the malware removal program was run without notifying victims, but people who fear they were victims of Qakbot may be database maintained by the National Police to see if they were compromised.
The botnet’s network of 700,000 infected computers spanned 200,000 devices across the United States, DOJ and FBI officials said.
The senior FBI official emphasized that the malware removal tool was authorized by a judge and had a very limited scope, emphasizing that “nothing on the computer’s hard drive should be touched, nor erased or read.” ‘
“So none of the private information a victim has on the computer will be accessible through that process,” the person added.
The Justice Department also confirmed the seizure of more than $8.6 million in cryptocurrency in illicit profits from the botnet. FBI and DOJ officials said they were not announcing any arrests in connection with the operation.
Officials noted that since its inception in 2008, the Qakbot malware has been used in ransomware attacks and other cybercrimes, causing hundreds of millions of dollars in losses for individuals and businesses.
Qakbot essentially acted as a service provider to the hacker industry, providing an infrastructure of compromised computers that could be used to launch attacks, or selling direct access to the compromised devices.
Officials say that Qakbot has been used as a primary infection tool by many prolific ransomware groups in recent years, including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta.
The ransomware gangs then extort victims and demand a ransom in bitcoin or other cryptocurrencies before they can regain access to the victim’s encrypted computer networks.
Qakbot’s victims included an Illinois-based power engineering company; financial services companies in Alabama, Kansas, and Maryland; a defense manufacturer based in Maryland; and a food distribution company in Southern California.
“The FBI neutralized this far-reaching criminal supply chain and cut it at the knees,” FBI Director Christopher Wray (above) said in a statement about Qakbot’s removal.
The botnet’s network of 700,000 infected computers spanned 200,000 devices in the United States, DOJ and FBI officials said
Known as “Operation Duck Hunt,” the takedown operation was led by prosecutors and investigators working out of the US Attorney’s Office in Los Angeles.
The operation also involved authorities from France, Germany, the Netherlands, the United Kingdom, Romania and Latvia.
To disrupt the botnet, the FBI says it redirected Qakbot traffic to FBI-monitored servers that instructed infected computers to download an uninstaller file.
Specifically created to remove the Qakbot malware, this uninstaller detached infected computers from the botnet and prevented the installation of additional malware.
“The FBI neutralized this far-reaching criminal supply chain and cut it at the knees,” FBI Director Christopher Wray said in a statement.
“The victims ranged from financial institutions on the East Coast to a government critical infrastructure contractor in the Midwest to a medical device manufacturer on the West Coast,” he added.
Potential victims can check if their devices have been compromised by Qakbot in two ways.
In addition to the Dutch police site, the FBI cooperates with the website Have I been pwned? where individuals can check if their credentials have been compromised.