Cybercrime , Fraud Management & Cybercrime , Ransomware

Operation 'Duck Hunt' Dismantles Qakbot

52 Servers, Nearly $9 Million Worth of Cryptocurrency Seized
Operation 'Duck Hunt' Dismantles Qakbot

U.S. authorities Tuesday said they permanently dismantled the notorious Qakbot botnet in an international operation that seized 52 servers and nearly $9 million worth of cryptocurrency.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

The botnet, also known as Qbot, was a vector for ransomware, and it "has ceased to operate," said Don Alway, the assistant director in charge of the FBI's Los Angeles Field Office, during a press conference. Qakbot started as a banking Trojan in 2008. It is one of the world's longest-running botnets and accounted for hundreds of millions of dollars of losses over its lifetime, said senior FBI and Justice Department officials.

"We at the FBI and DOJ are focused on proactive disruptive activities against the actors and the key services which support their activity," senior FBI and DOJ officials told members of the media during a background briefing Tuesday. "This strategy stems from looking at the problem from the perspective of the adversary and what they need to conduct their attack."

Law enforcement identified more than 700,000 computers infected with the Qakbot malware, including more than 200,000 in the United States. Authorities pushed a removal tool to endpoints that excised Qakbot from system memory, although it did not remove any other malware that might also be present on the system.

The FBI dubbed the operation behind the takedown "Duck Hunt," a play on the Qakbot moniker. The operation is "the most significant technological and financial operation ever led by the Department of Justice against a botnet," said United States Attorney Martin Estrada of the Central District of California. International partners in the investigation include France, Germany, the Netherlands, the United Kingdom, Romania and Latvia.

"Almost every country in the world was affected by Qakbot, either through direct infected victims or victims attacked through the botnet," said senior FBI and DOJ officials. Officials said Qakbot spread primarily through email phishing campaigns, and FBI probes revealed Qakbot infrastructure and victim computers had spread around the world.

Qakbot played a role in approximately 40 different ransomware attacks over the past 18 months that caused $58 million in losses, Estrada said. "You can imagine that the losses have been many millions more through the life of the Qakbot," which cyber defenders first detected in 2008, Estrada added. "Today, all that ends," he said.

Qakbot evolved over the years to become an initial access broker for other cybercriminals, selling access to criminal affiliates who rely on that foothold. Online criminal gangs that have used Qakbot to spread ransomware include Conti, ProLock, Egregor, REvil, MegaCortex and Black Basta.

"If you think about it from the perspective of the adversary, they are going to rent this out to what's going to make money," senior FBI and DOJ officials said. "As far as how it's utilized, they typically do not have a say or care as long as they're getting their cut."

An ecosystem has developed over time that allows ransomware groups and nation-state actors to use services from initial access brokers such as Qakbot to carry out business email compromise, elder fraud and other types of cybercrime, according to senior FBI and DOJ officials. Without services from groups such as Qakbot, officials said, these criminal activities would be much more difficult to engage in.

"This is a criminal business that they're running, and the financial piece is critically important," senior FBI and DOJ officials said. "Cybercriminals need all of those services to engage in their conduct."

Law enforcement worked with U.S. legal authorities to facilitate the operation, officials said. First, authorities penetrated Qakbot's network and were able to map it out in its entirety. Then, authorities got authorization to assume control of Qakbot's command-and-control server and redirected traffic to a server under the control of the FBI.

After redirecting online traffic to servers controlled by authorities, downloaded onto infected computers a file untethering them from Qakbot, states an FBI affidavit submitted in the U.S District Court for the Central District of California. Since Qakbot ran in memory, law enforcement didn't need to touch, erase or read anything in the victim's hard drive to remove the botnet.

"None of the private information that a victim might have on his computer is going to be accessible through that process of malware being removed from memory," senior FBI and DOJ officials said. Officials said victims wouldn't even know authorities had removed Qakbot from their system unless they had been independently tracking it.

Senior FBI and DOJ officials said the operation was timed to take advantage of a slowdown in Qakbot's activity during the summer months, and authorities sought to take action before Qakbot ramped up attacks in the fall. Even though Qakbot has been removed from victim systems, officials cautioned there still might be malware present since the botnet facilitated access for deploying other malware variants.

Prosecutors declined to identify the cybercriminal organization behind Qakbot, citing a need for secrecy in an ongoing investigation. Senior FBI and DOJ officials also declined to comment on the relationship between Qakbot and state-aligned activity or espionage.

Authorities say they will use the seized $8.6 million of cryptocurrency to refund victims and make them whole. Filings with the court and the Justice Department will be required to make a claim to the seized funds, according to senior FBI and DOJ officials.

"By shutting down the entire botnet, we are stopping the ongoing delivery of ransomware and other malicious software to victim computers across America and around the world," senior FBI and DOJ officials said. "We are looking forward to creating a broad and lasting reduction in ransomware victimization."

About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.