U.S. and foreign agencies dismantle Qakbot network

On Tuesday, several U.S. and foreign law enforcement agencies announced they had taken down a network, known as a botnet, of 700,000 computers that had contributed to thousands of malware infections globally.

The financial sector had been the primary target of ransomware and account compromises by the botnet, which started out as a banking trojan — a piece of software that appears legitimate but illicitly gives a bad actor access to the computer it's been installed in.

The botnet, known as Qakbot and by several other names, gave illegal access to groups behind major ransomware strains including Conti, REvil, and Black Basta. Over a two-year period, Qakbot administrators received $58 million in fees for assisting these groups to hack into accounts and infect computers, according to a warrant issued last week by the Department of Justice.

During the takedown operation, law enforcement agencies seized $8.6 million of stolen money in the form of cryptocurrencies, according to the Department of Justice.

An earlier warrant detailed a case in February in which a company—whose name the Department of Justice redacted — had its network infected with Black Basta ransomware. An FBI investigation into the matter determined the network had also been infected with Qakbot. The company reported losses of $10 million and made a $3 million ransom payment to regain access to its computers.

The group behind Qakbot has operated since at least 2008, according to the Cybersecurity and Infrastructure Security Administration. In the years since, its operators quietly grew the botnet by installing malware delivered via phishing campaigns, adding new computers to the network often without the victims' knowledge.

Once Qakbot gets installed on a computer, it begins communicating with a Qakbot supernode to ask for further instructions. As of June, CISA had identified 853 of these supernodes, which helped to hide the identity of the command and control servers — the servers from which Qakbot operators sent instructions to their vast empire of secretly indentured computers.

Cyber attacks

Chico bank suffers data breach after February cyber attack

On Thursday, a ransomware group published data apparently stolen from Tri Counties Bank, which suffered an outage to its ATM network last month.

By Carter Pape

March 23

In its description of the Qakbot infrastructure, CISA detailed three layers of control that helped to hide the identity of computers that Qakbot operators were using to disseminate instructions to the botnet.

To take down the Qakbot network, the FBI — with assistance from multiple foreign agencies — managed to redirect Qakbot traffic to and through FBI servers. Once infected computers asked for further instructions, the FBI computers sent a file created by law enforcement that would uninstall the Qakbot malware.

In other words, the FBI exploited the control the botnet had over 700,000 computers by sending them instructions to remove the malware — but nothing else, according to the Department of Justice. The actions had been approved by a U.S. magistrate judge, according to a redacted search warrant.

"The scope of this law enforcement action was limited to information installed on the victim computers by the Qakbot actors," reads a DOJ press release. "It did not extend to remediating other malware already installed on the victim computers and did not involve access to or modification of the information of the owners and users of the infected computers."

CISA confirmed in its own press release that the FBI's actions only redressed Qakbot infections and did not remove previously installed malware or ransomware on victim computers.

For anyone concerned that they may have been compromised by Qakbot — whether by having a password stolen or their computer infected — the Department of Justice provided a webpage with resources including guidance on what to do about infected email accounts, indicators of a compromise, and links that can help identify whether a credential has been compromised.