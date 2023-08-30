The United States FBI and the Justice Department have announced a multinational operation involving actions in the US, France, Germany, the Netherlands, the UK, Romania, and Latvia to disrupt the botnet and malware known as Qakbot, taking down its infrastructure. The action represents the largest US-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals to commit ransomware, financial fraud, and other cybercriminal activity.

The Qakbot malware - also known by various names including "Qbot" and "Pinkslipbot" - infected victims' computers primarily through spam emails that contained malicious attachments or links. Since its creation in 2008, Qakbot malware has been used in ransomware attacks and other cybercrimes that caused hundreds of millions of dollars in losses to individuals and businesses in the US and abroad. In recent years, Qakbot become the botnet of choice for some of the most infamous ransomware gangs including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta. Qakbot administrators have reportedly received fees corresponding to approximately $58 million in ransoms paid by victims.

FBI redirected Qakbot botnet traffic to and through controlled servers

The FBI said it gained access to Qakbot infrastructure and identified more than 700,000 computers worldwide, including more than 200,000 in the US, that appear to have been infected with Qakbot. To disrupt the botnet, the FBI redirected Qakbot botnet traffic to and through servers controlled by the FBI, which in turn instructed infected computers in the US and elsewhere to download a file created by law enforcement that would uninstall the Qakbot malware. This uninstaller was designed to untether the victim computer from the Qakbot botnet, preventing further installation of malware through Qakbot.

The Department of Justice also announced the seizure of more than $8.6 million in cryptocurrency from the Qakbot cybercriminal organization, which will now be made available to victims. "The FBI neutralized this far-reaching criminal supply chain, cutting it off at the knees," said FBI director Christopher Wray. "The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast."

The FBI has partnered with the US Cybersecurity and Infrastructure Security Agency (CISA), Shadowserver, Microsoft Digital Crimes Unit, the National Cyber Forensics and Training Alliance, and Have I Been Pwned to aid in victim notification and remediation.

Qakbot malware data searchable via Have I Been Pwned

Qakbot malware data is now searchable on the Have I Been Pwned site, wrote founder Troy Hunt. "These are now all searchable in HIBP albeit with the incident is flagged as 'sensitive.' So, you'll need to verify you control the email address via the notification service first, or you can search any domains you control via the domain search feature." Further, the passwords from the malware will shortly be searchable in the Pwned Passwords service, which can either be checked online or via the API, Hunt added.