FBI and European Partners Dismantle Qakbot Malware Network, Causing $58 Million in Damages
In a groundbreaking operation, the FBI, in collaboration with its European counterparts, successfully infiltrated and took control of a major global malware network responsible for a wide range of online crimes, including devastating ransomware attacks. This operation resulted in the removal of the notorious Qakbot malware from thousands of infected computers around the world.
Cybersecurity experts have applauded the meticulous dismantling of the network, acknowledging its significant impact on cybercrime. However, they caution that this setback is likely to be temporary, as cybercriminals continuously adapt to new challenges.
According to Martin Estrada, the U.S. attorney in Los Angeles, the Qakbot network victimized nearly every sector of the economy. Over a span of 18 months, it facilitated approximately 40 ransomware attacks, earning the administrators a staggering $58 million. Among the victims were an Illinois-based engineering firm, financial services organizations in Alabama and Kansas, a Maryland defense manufacturer, and a Southern California food distribution company.
During the operation, law enforcement officials seized or froze around $8.6 million in cybercurrency. However, no arrests have been announced thus far, and investigations are still ongoing. The location of the malware administrators, believed to be in Russia or other former Soviet states, is yet to be disclosed.
Since its emergence in 2008, Qakbot, also known as Pinkslipbot and Qbot, has wreaked havoc globally, causing hundreds of millions of dollars in damages. This malicious software, primarily delivered through phishing email infections, granted criminals initial access to compromised computers. They could then execute additional malicious activities such as deploying ransomware, stealing sensitive information, and conducting financial fraud like tech support and romance scams.
The Qakbot network played a significant role in the global cybercrime supply chain, as explained by Donald Alway, assistant director in charge of the FBI’s Los Angeles office. He described it as one of the most devastating cybercriminal tools in history. The malware impacted approximately one in ten corporate networks and accounted for roughly 30% of global cyber attacks. It served as an essential tool for ransomware gangs, eliminating the need for initial network penetration.
Dubbed Duck Hunt, the operation involved the FBI, Europol, and law enforcement and justice partners in France, the United Kingdom, Germany, the Netherlands, Romania, and Latvia. Over 50 Qakbot servers were seized, and more than 700,000 infected computers were identified, with over 200,000 in the United States alone. This eradicated criminals’ access to their targets.
To further neutralize the threat, the FBI utilized the seized Qakbot infrastructure to remotely remove the malware from thousands of infected computers. Although the exact number of computers cleared is fluctuating, the senior FBI official mentioned that some residual malware may remain on the liberated machines.
Alex Holden, founder of Hold Security, praised the operation, highlighting Qakbot’s status as the largest botnet in terms of victims. However, he noted that large botnets often implode due to attracting numerous threat actors seeking various forms of abuse. Similarly, Chester Wisniewski, a cybersecurity expert at Sophos, emphasized that while there may be a temporary decline in ransomware attacks, criminals will likely revive infrastructure elsewhere or shift to other botnets. He reminded us that 700,000 PCs take significant time to recruit.
While this operation marks a significant victory against cybercriminals, the fight against cybercrime remains an ongoing battle. Nevertheless, the successful dismantling of the Qakbot malware network demonstrates the determination and collective efforts of international law enforcement agencies to combat these global threats.
