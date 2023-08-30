The United States FBI and the Justice Department have announced a multinational operation involving actions in the US, France, Germany, the Netherlands, the UK, Romania, and Latvia to disrupt the botnet and malware known as Qakbot, taking down its infrastructure. The action represents the largest US-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals to commit ransomware, financial fraud, and other cybercriminal activity.\n\nThe Qakbot malware \u2013 also known by various names including \u201cQbot\u201d and \u201cPinkslipbot\u201d \u2013 infected victims\u2019 computers primarily through spam emails that contained malicious attachments or links. Since its creation in 2008, Qakbot malware has been used in ransomware attacks and other cybercrimes that caused hundreds of millions of dollars in losses to individuals and businesses in the US and abroad. In recent years, Qakbot become the botnet of choice for some of the most infamous ransomware gangs including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta. Qakbot administrators have reportedly received fees corresponding to approximately $58 million in ransoms paid by victims.\n\nFBI redirected Qakbot botnet traffic to and through controlled servers\n\nThe FBI said it gained access to Qakbot infrastructure and identified more than 700,000 computers worldwide, including more than 200,000 in the US, that appear to have been infected with Qakbot. To disrupt the botnet, the FBI redirected Qakbot botnet traffic to and through servers controlled by the FBI, which in turn instructed infected computers in the US and elsewhere to download a file created by law enforcement that would uninstall the Qakbot malware. This uninstaller was designed to untether the victim computer from the Qakbot botnet, preventing further installation of malware through Qakbot.\n\nThe Department of Justice also announced the seizure of more than $8.6 million in cryptocurrency from the Qakbot cybercriminal organization, which will now be made available to victims. \u201cThe FBI neutralized this far-reaching criminal supply chain, cutting it off at the knees,\u201d said FBI director Christopher Wray. \u201cThe victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast.\u201d\n\nThe FBI has partnered with the US Cybersecurity and Infrastructure Security Agency (CISA), Shadowserver, Microsoft Digital Crimes Unit, the National Cyber Forensics and Training Alliance, and Have I Been Pwned to aid in victim notification and remediation.\n\nQakbot malware data searchable via Have I Been Pwned\n\nQakbot malware data is now searchable on the Have I Been Pwned site, wrote founder Troy Hunt. \u201cThese are now all searchable in HIBP albeit with the incident is flagged as \u2018sensitive.\u2019 So, you\u2019ll need to verify you control the email address via the notification service first, or you can search any domains you control via the domain search feature.\u201d Further, the passwords from the malware will shortly be searchable in the Pwned Passwords service, which can either be checked online or via the API, Hunt added.\n\nOperation likely to have significant short-term effect on cybercriminal groups\n\n\u201cThe recent law enforcement operation targeting Qakbot will likely have a significant short-term effect (one to three months) on the activities associated with many cybercriminal groups,\u201d Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest, tells CSO. \u201cMany high-profile ransomware groups are known to favor using Qakbot to facilitate initial access to targeted organizations. With the disruption to Qakbot, it\u2019s likely that such groups will have to pivot to other, less favored methods of gaining access to targeted organizations.\u201d\n\nWhat the future holds for Qakbot is unclear, he adds. \u201cOther malware families \u2013 notably the Emotet botnet \u2013 were previously targeted by law enforcement activity and shut down for extended periods of time, before returning.\u201d In terms of the landscape for malware loaders, ReliaQuest recently observed that Qakbot was one of three loaders that, in total, accounted for 80% of incidents in which a malware loader were observed. \u201cThe other two most commonly used loaders were SocGholish and RaspBerry Robin. It\u2019s realistically possible that criminal groups known to favor use of Qakbot will pivot to these capable loaders.\u201d\n\nHow to avoid Qakbot and other botnet malware infections\n\nGuidance for those impacted by incidents involving Qakbot is the same tried-and-tested advice given after previous malware incidents, according to Hunt:\n\nFor administrators with affected users, CISA has a report that explains the malware in more detail, including links to YARA rules to help identify the presence of the malware within your network.