An international law enforcement operation led by the FBI and the U.S. Justice Department has resulted in a major disruption for the Qakbot botnet.
Qakbot is a banking Trojan first discovered in the late 2000s that has been a prolific cybercrime fixture over the years, especially among ransomware gangs. The Justice Department announced the takedown Tuesday in a news release, saying it was "a multinational operation involving actions in the United States, France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia."
The FBI managed to, via court order, gain access to the botnet's infrastructure and obtain valuable data, including encryption keys to command and control systems. Authorities also identified more than 700,000 infected computers globally, including more than 200,000 in the U.S., and redirected Qakbot traffic to bureau-controlled servers.
These servers, according to an FBI news story, "instructed infected computers to download an uninstaller file." The uninstaller was a DLL file that removed Qakbot malware from victims' systems, untethered them from the botnet and prevented the installation of new malware.
"The FBI neutralized this far-reaching criminal supply chain, cutting it off at the knees. The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast," FBI Director Christopher Wray said in a video announcement of the takedown.
The operation, dubbed "Duck Hunt," also led to the seizure of $8.6 million in extorted funds. The Justice Department said investigators found evidence that Qakbot administrators had received some $58 million in ransom payments between October 2021 and April 2023.
"Cybercriminals who rely on malware like Qakbot to steal private data from innocent victims have been reminded today that they do not operate outside the bounds of the law," Attorney General Merrick Garland said in the Justice Department press release.
Cybersecurity vendor Secureworks published a technical analysis of the Qakbot takedown in which it referred to the FBI's custom DLL file as "clever." In a statement shared with TechTarget Editorial, Don Smith, vice president of Secureworks' Counter Threat Unit, said Qakbot "was a significant adversary" to businesses around the globe.
"Engineered for eCrime, Qakbot infections led to the deployment of some of the most sophisticated and damaging ransomware. Qakbot has evolved over the years to become a flexible part of the criminal's arsenal," Smith said. "Its removal is to be welcomed."
TechTarget Editorial has contacted the FBI for additional comment.
Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.