the angels— WASHINGTON (Reuters) – The FBI and its European partners infiltrated and took control of a major global malware network used for more than 15 years to carry out a range of cybercrimes, including devastating ransomware attacks, U.S. officials said Tuesday.
They then remotely removed a malware agent called Qakbot from thousands of infected computers.
Cybersecurity experts said they were impressed by the deft takedown of the network, but warned that any blow to cybercrime was likely to be temporary.
“Almost every sector of the economy has been harmed by Qakbot,” Los Angeles U.S. Attorney Martin Estrada said Tuesday in announcing the takedown.
In just 18 months, the criminal network facilitated about 40 ransomware attacks, which investigators say netted Qakbot administrators about $58 million, he said.
Estrada said Qakbot’s ransomware victims included an engineering firm in Illinois, financial services organizations in Alabama and Kansas, as well as a defense manufacturer in Maryland and a food distribution company in Southern California.
Officials said $8.6 million in online currency was seized or frozen, but no arrests were announced.
Estrada said the investigation was ongoing. He would not say where the administrators of the malware, which organizes infected computers into a botnet of zombie computers, are located. Cybersecurity researchers say they are believed to be based in Russia and/or other former Soviet countries.
Officials estimate that the so-called malware loader, the digital Swiss knife of cyber crooks, also known as Pinkslipbot and Qbot, has caused hundreds of millions of dollars in damages since first appearing in 2008 as an information-stealing banking Trojan. Millions of people have been affected in almost every country in the world, they said.
Qakbot is usually spread through phishing email infections, which provide criminal hackers with initial access to compromised computers. They can then deploy other payloads, including ransomware, to steal sensitive information or gather victim intelligence to facilitate financial fraud and crimes such as tech support and romance scams.
Donald Alway, assistant director of the FBI’s Los Angeles field office, said the Qakbot network “is actually powering the global cybercrime supply chain,” calling it “one of the most destructive cybercrime tools in history.” .
Two cybersecurity firms found that Qakbot was the most commonly detected malware in the first half of 2023, affecting one in 10 corporate networks and accounting for about 30% of global attacks. This “initial access” tool allows ransomware gangs to skip the first step of infiltrating computer networks, becoming a prime enabler of widespread, primarily Russian-speaking criminals who steal data and disrupt schools, hospitals and severe damage to local governments. and businesses around the world.
More than 50 people were seized in an operation dubbed “Duck Hunt” by the FBI, Europol and law enforcement and judicial partners in France, Britain, Germany, the Netherlands, Romania and Latvia, which began Friday. Qakbot server and identified over 700,000 infected computers, over 200,000 of them in the United States – effectively cutting off criminals’ prey.
The FBI then used the seized Qakbot infrastructure to remotely send updates, removing the malware from thousands of infected computers. A senior FBI official, speaking to reporters on condition of anonymity, called the number “volatile” and warned that there may be other malware lingering on machines freed from Qakbot.
It’s the FBI’s biggest success against cyber crooks since it “cracked down on the hackers” since dismantling the prolific Hive ransomware gang in January.
“It’s an impressive crackdown. Qakbot is the largest botnet by the number of victims,” said Alex Holden, founder of Milwaukee-based Hold Security. But he said that may have been a casualty of its spectacular growth success over the past few years.
“Today’s large botnets tend to collapse because too many threat actors are mining this data for various types of abuse.”
Chester Wisniewski, a cybersecurity expert at Sophos, agreed that while ransomware attacks may temporarily decrease, criminals are expected to either restore infrastructure elsewhere or move to other botnets.
“This will cause a lot of disruption to some gangs in the short term, but a reboot won’t do anything,” he said. “It will take a long time to recruit 700,000 PCs though.”
