- FBI on Tuesday announced takedown of infamous ‘Qakbot’ malware botnet
- Feds redirected botnet traffic through FBI servers to take down the network
- You can check a Dutch Police database to see if Qakbot infected your computer
The FBI has announced a takedown operation to disrupt the notorious ‘Qakbot’ malware network used extensively by hackers involved in stealing millions from unsuspecting users.
Qakbot malware infected more than 700,000 computers across the globe and was used to perpetrate ransomware attacks and financial frauds, officials said on Tuesday.
Believed to have originated in Russia more than a decade ago, Qakbot is commonly spread through boobytrapped emails that infect devices and conscript them into the network without the victim’s knowledge.
Taking a page from the hacker playbook, the FBI was able to covertly redirect the network’s traffic through government-controlled servers and used a court authorization to remotely uninstall the Qakbot malware from victim devices, untethering them from the botnet.
A senior FBI official told DailyMail.com the malware uninstaller executed without notifying victims, but people who fear they were victims of Qakbot can check a database maintained by the Dutch National Police to see if they were compromised.
The network of 700,000 infected computers in the botnet included 200,000 devices in the United States, DOJ and FBI officials said.
The senior FBI official stressed the malware uninstaller tool was authorized by a judge and had a very limited scope, insisting that ‘nothing in the hard drive of the computer is touched, either to be erased or read.’
‘So none of the private information that a victim might have on the computer is going to be accessible through that process,’ the person added.
The Justice Department also confirmed the seizure of more than $8.6 million worth of cryptocurrency in illicit profits from the botnet. FBI and DOJ officials said they were not announcing any arrests in connection with the operation.
Officials noted since its creation in 2008, Qakbot malware has been used in ransomware attacks and other cybercrimes that caused hundreds of millions of dollars in losses to individuals and businesses.
Qakbot essentially acted as a service provider to the hacker industry, offering an infrastructure of compromised computers that could be used to carry out attacks, or selling access to the compromised devices outright.
Brett Callow, a threat analyst with cybersecurity firm Emsisoft, told DailyMail.com: ‘Qakbot was one of the most popular malware loaders, and was leveraged in the attack chains of multiple ransomware groups and other cybercrime operations’.
US officials say Qakbot was used as an initial means of infection by many prolific ransomware gangs in recent years, including Conti, ProLock, Egregor, REvil, MegaCortex and Black Basta.
After gaining access, hacker gangs then extort their victims, seeking ransom payments in bitcoin or other crypto before returning access to the encrypted computer networks.
Victims of Qakbot included a power engineering firm based in Illinois; financial services companies in Alabama, Kansas, and Maryland; a defense manufacturer based in Maryland; and a food distribution company in Southern California.
The takedown operation, known as ‘Operation Duck Hunt,’ was led by prosecutors and investigators working out of the US Attorney’s Office in Los Angeles.
The operation also involved authorities from France, Germany, the Netherlands, the United Kingdom, Romania and Latvia.
To disrupt the botnet, the FBI says it redirected Qakbot traffic to FBI-controlled servers that instructed infected computers to download an uninstaller file.
This uninstaller, created specifically to remove the Qakbot malware, untethered infected computers from the botnet and prevented the installation of any additional malware.
‘The FBI neutralized this far-reaching criminal supply chain, cutting it off at the knees,’ FBI Director Christopher Wray said in a statement.
‘The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast,’ he added.
Callow, the Emsisoft threat analyst, said that while the takedown of Qakbot will not deal a death blow to ransomware hacker gangs, it will have an impact.
‘While the bad guys will invariably start using alternatives to Qakbot, the take down is nonetheless significant. The more we can disrupt operations like Qakbot, the harder it is for cybercriminals to operate – and the harder it is, the less profitable it is,’ he said.
Potential victims have two ways of checking whether their devices were compromised by Qakbot.
In addition to the Dutch police site, the FBI has partnered with the website Have I Been Pwned? where individuals can check whether their credentials were compromised.