US authorities announced this week the results of an international operation whose goal was the disruption of the notorious Qakbot botnet.
The operation, dubbed ‘Duck Hunt’, involved the takeover of Qakbot infrastructure and the distribution of a utility designed to automatically remove the malware from infected systems. Authorities also announced seizing more than $8.6 million in cryptocurrency as part of the operation.
Qakbot malware infected at least 700,000 systems worldwide, often being used to deliver ransomware to compromised devices. Investigators believe that Qakbot administrators made roughly $58 million in ransoms in less than two years.
Industry professionals have commented on various aspects of the takedown attempt, including its implications and whether this is the end of Qakbot.
And the feedback begins…
Ricardo Villadiego, Founder, CEO, Lumu:
“Overall, it’s good that law enforcement is able to execute this type of large-scale takedown – especially with a threat like Qbot. With a significant increase in ransomware attacks recently, Qbot is one of the top ransomware precursors being used by active groups like Egregor, ProLock, MegaCortex, Black Basta, Royal and Conti, according to Lumu data.
Government takedowns have to be done, but we also need to understand what this really means and why claiming victory may be premature. First, it is very likely that because the code is highly customizable, it has been sold to other threat actors in pieces. This means that we will continue to see pieces of code that trace back to Qbot for a long time. Due to this reality, it is very likely that more variants will emerge in the coming days and weeks. Organizations should not let their guard down when it comes to Qbot despite the FBI’s statement.
Secondly, there are at minimum 700K devices infected (that we know of) and we do not know if the proper malware removal procedure has taken place. The risk here is that Qbot is only an initial vector. Every machine of those 700K may be at different stages of the attack, therefore other persistence tools may already be installed there and dismantling or uninstalling Qbot may not be enough. Even if you assume that the FBI issued the uninstall command and every machine in the botnet executed it, you can only assume that Qbot is no longer active, but you don’t know what other persistence mechanisms or pieces of malware were already dropped by Qbot before the uninstall command.”
John A. Smith, CEO, Conversant Group:
“Qakbot was in some ways like zombies in a movie—every victim machine they took down became part of their army, increasing their numbers and destructive force. As the number of infected machines grew, they had greater scale to compromise more systems, grow their infrastructure, upload more malware, and profit from more ransomware and related attacks. Yet, in this scenario, we must remember that the victims weren’t completely helpless. Most victims were organizations (vs. individuals), and there were many IT controls that should have been employed to avoid these compromises. Systems were compromised via download of malicious attachments—this shows weak email, endpoint, and perimeter defenses employed at the IT level and poor choices on controls and configurations. In short, we have a shared responsibility model: bad actors doing bad things, and IT teams not looking at their defenses through a Zero Trust framework.
That said: threat actors continue to get more sophisticated in the expansiveness of their global affiliate networks and C2 infrastructures. The solution, then, requires global cooperation and intel sharing to effectively mount a defense, and we see that here—this was a laudable effort to take down a threat group that had gone unchecked for far too long. However, the methodology of gaining blanket approval (vs. individual warrants) to reach into private computers to uninstall applications raises a number of privacy and system-health concerns. While there are analogies for this in law enforcement, it sets a precedent for which there is no clear self-limiting future. Since everything is cloud connected, this essentially means that the government can leverage access to big tech clouds to reach into systems, and while there are guardrails on this particular action, it’s difficult to say where it might lead. Uninstalls can also have unintended consequences, and while this appears to have been done cleanly here, it’s a consideration for future such actions.”
Travis Smith, Vice President of the Threat Research Unit, Qualys:
“This is excellent news for the industry as Qakbot has been a major threat that organizations were trying to protect against for quite some time.
While taking down the infrastructure deals a blow to the threat actors operating it, their skills are still on the market to move to new infrastructure or integrate with another malware ecosystem. Qakbot itself is known to exploit multiple vulnerabilities ranging from operating systems to networking devices. Organizations should continue to be vigilant and take action now to reduce their organizational risk while there is a lull in the storm.”
John Fokker, Head of Threat Intelligence, Advanced Research Center, Trellix:
“2023 has already proven to be one for the books as the FBI announced yet another dismantling of a global network following the Genesis Market takedown in May and the Hive ransomware infiltration in January. Since the industry first detected Qakbot, also known as QBot, QuakBot, and Pinkslipbot, a highly resilient Botnet, in 2007, it has remained active, making us researchers often feel we were playing a game of cat and mouse. It was constantly evolving, adding new features, and finding new ways to evade detection, always skirting true takedown, until today. It is great news the FBI and Partners were able to disrupt this very persistent botnet and hopefully it will stay offline for good.
The takedown process is no cakewalk, speaking from experience with our recent involvement in the Genesis Market takedown and REvil arrests. Combating cybercrime takes a respectable amount of dedication and collaboration to pull apart the intricacies of ransomware infrastructures. The increase in takedowns and arrests shows that cybercriminals need to watch their backs. Law enforcement and the industry alike are seeking every opportunity to disrupt threat actors, and additional takedowns are imminent.”
Dave Ratner, CEO, HYAS:
“We applaud the FBI for taking control of the Qakbot malware command-and-control infrastructure; unfortunately, without any arrests, it’s likely that the criminals will set up new adversary infrastructure in the near future.
With dwell time being as little as 24 hours, these attacks highlight once again how critical it is for organizations to have immediate visibility into anomalous network traffic communicating with adversary infrastructure so that they can take control before ransomware impacts operational resiliency, as recommended by CISA and the NSA via Protective DNS solutions.”
Austin Berglas, Global Head of Professional Services at BlueVoyant and former FBI Cyber Division Special Agent:
“The complete dismantlement of the Quakbot operation’s infrastructure and the ability to coordinate a major global operation with international partners is the real success story.
Identifying and arresting the individuals responsible is the next, and often most difficult chapter in the investigation. The FBI’s willingness to undertake multi-year, complex, global investigations is the reason why today, so many thousands of victims are no longer unwitting members of a massive botnet of infected computers.
This is not the first time the FBI conducted remote operations at scale against international criminal groups. In 2011, the FBI and partners dismantled and arrested six Estonian nationals who were responsible for running the Rove criminal enterprise. In Operation Ghost Click, this criminal group used malware that was used to infect approximately 4 million computers globally and redirected them to rogue servers allowing them to control the computers, direct them to fraudulent websites, and generate millions of dollars in fraudulent advertising fees. After a complex investigation, the FBI obtained court orders authorizing them to deploy and maintain clean servers, redirect victim computers and ensure that the millions of victims did not lose internet connectivity.”
Ken Westin, Field CISO, Panther Labs:
“It is interesting the FBI essentially deployed something that almost resembles ‘hacking back’ to redirect traffic to their servers and ran a script to uninstall the malware on remote systems. It is rare that law enforcement would deploy such measures as there are potential risks of executing commands on remote systems, however, the risk may have been minimal in this case given the threat posed by Qakbot to networks and critical infrastructure. It will be interesting to learn more about the legal case for when such activities can be taken to execute scripts on remote systems when dealing with malware and threats to national security.”
Max Gannon, Senior Cyber Threat Intelligence Analyst, Cofense:
“This was a major step for the FBI and Justice Department to take and I certainly think it will have a significant impact on the threat actors behind QakBot. While this action was able to protect a huge number of victims that were already infected, it was not paired with arrests which are what most often leads to threat actors ceasing or at least temporarily halting operations. Because it was not paired with arrests I do not believe this will be the end of QakBot or at the very least it won’t be the end of the threat actors behind QakBot. Because of the huge blow to the botnet’s infrastructure, I expect that the threat actors will either take a very long time to return or they will pivot to other existing botnet projects.”