By REBECCA RUTHERFORD
For the Los Alamos Daily Post

On Aug. 29, the FBI and DOJ (Department of Justice) made a huge announcement – Qakbot has finally been taken down via a multinational operation.

The takedown, which took place in the U.S., France, Germany, the Netherlands, Romania, Latvia and the United Kingdom, represented one of the largest U.S.-led disruptions of botnet infrastructure used by cybercriminals to commit ransomware, financial fraud and other cyber-related criminal activity.

“The FBI neutralized this far-reaching criminal supply chain, cutting it off at the knees,” FBI Director Christopher Wray said. “The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast.”

What exactly was Qakbot, and why is this takedown so important? Qakbot was a type of malware that primarily infected users via phishing emails containing malicious attachments or links. QakBot was one of the most popular malware “loaders” — malicious software used to gain access to a compromised network and then drop additional malware payloads.

According to a study by security firm Reliaquest, QakBot infections accounted for nearly one-third of all loaders observed in the wild during the first half of this year.

After users downloaded or clicked the malicious content, Qakbot could deliver additional malware, including ransomware, to the user’s computer. The infected computer would then also become part of a botnet (a network of compromised computers) that could be remotely controlled by the botnet users. Meanwhile the Qakbot user would be unaware of any infection of their computer.

Since its creation in 2007, this malware has been used in ransomware attacks and many other cybercrimes that caused hundreds of millions of dollars in losses to individuals and businesses both in the U.S. and abroad. The malware was originally a banking trojan, but has evolved into a much more advanced and multipurpose malware strain used for many ransomware attacks.

“This botnet provided cybercriminals like these with a command-and-control infrastructure consisting of hundreds of thousands of computers used to carry out attacks against individuals and businesses all around the globe,” FBI Director Wray said.

Courtesy/R. Rutherford

So how did the FBI coordinate such a massive takedown on a global scale?

To start with, the FBI gained lawful access to Qakbot’s infrastructure and identified over 700,000 infected computers worldwide—including more than 200,000 in the U.S.

To take down the botnet, the FBI redirected Qakbot traffic to FBI-controlled servers that instructed the infected computers to download an uninstaller file. This uninstaller—designed to remove Qakbot malware— booted the infected computers from the botnet and prevented installation of any additional Qakbot malware.

“All of this was made possible by the dedicated work of FBI Los Angeles, our Cyber Division at FBI Headquarters, and our partners, both here at home and overseas,” said FBI Director Wray. “The cyber threat facing our nation is growing more dangerous and complex every day. But our success proves that our own network and our own capabilities are more powerful.”

This is not the first time the US Government has used court orders to remotely disinfect systems compromised with malware. In May of 2023, the DOJ removed malware from computers worldwide that were infected with the Snake variant of malware, an even older malware variety with suspected ties to overseas intelligence organizations.

The takedown of Qakbot, dubbed “Duck Hunt”, is one of the biggest victories against cybercrime we’ve seen this year, but it is certain that something else just as bad will take its place. Stay aware, don’t click that link, and stay safe online!

Editor’s note: Rebecca Rutherford works in information technology at Los Alamos National Laboratory.