By Nathaniel Percy, Southern California News Group
Federal law enforcement officials have disrupted a malware known as Qakbot — a computer code used by cybercriminals to commit ransomware, financial fraud and other cyber crimes leading to massive losses worldwide, they announced on Tuesday, Aug. 29.
The Qakbot malware infected more than 700,000 victim computers, federal authorities said, before it’s infrastructure was taken down. The malware was being deleted from those computers, preventing it from doing more harm.
The Department of Justice said authorities had seized more than $8.6 million in cryptocurrency in illicit profits.
It’s the largest United States-led financial and technical disruption of a botnet infrastructure used by cybercriminals, according to the Department of Justice. The operation also involved actions in France, Germany, the Netherlands, the United Kingdom, Romania and Latvia.
“An international partnership led by the Justice Department and the FBI has resulted in the dismantling of Qakbot, one of the most notorious botnets ever, responsible for massive losses to victims around the world,” U.S. Attorney Martin Estrada said.
Qakbot, controlled by a cybercriminal organization, was used to target critical industries nationwide by sending spam email messages containing malicious attachments or hyperlinks, U.S. Attorney spokesman Thom Mrozek said.
Qakbot can then deliver additional malware, including ransomware, used to seek payments in bitcoin before returning access to the victim’s computer networks, Mrozek said.
Once a victim computer is infected, it becomes part of a botnet, or robot network. Cybercriminals then have remote access to all of the infected computers in a coordinated manner, Mrozek said.
Owners and operators of the victim computers are usually unaware of the infection.
In the past year, criminals not yet tied to Qakbot attacked computers of the San Bernardino County Sheriff’s Department, the Los Angeles Unified School District and hospitals run by Prospect Medical Holdings, “and by doing that, shut down emergency rooms and medical facilities throughout the country,” Estrada said.
From October 2021 to April 2023, evidence collected by investigators shows Qakbot administrators received $58 million in ransoms, Mrozek said.
Named “Operation Duck Hunt,” beginning Friday, law enforcement gained access to the Qakbot botnet, redirected botnet traffic to and through servers controlled by law enforcement and instructed operators of infected computers to download a Qakbot “uninstall” file that disconnected the victim computer from the botnet, federal authorities said.
They identified more than 200,000 infected computers in the United States, Mrozek said. These victims included a power engineering firm in Illinois, financial services organizations in Alabama, Kansas and Maryland, and a defense manufacturer in Maryland.
“Qakbot was the botnet of choice for some of the most infamous ransomware gangs, but we have now taken it out,” Estrada said.
Federal authorities did not provide details in regard to whether any arrests made in connection with the operation or identify any possible suspects, citing the ongoing investigation.