×

Qakbot: Feds take down malware botnet that infected 200,000 U.S. computers

Qakbot: Feds take down malware botnet that infected 200,000 U.S. computers

Federal law enforcement officials have disrupted a malware known as Qakbot — a computer code used by cybercriminals to commit ransomware, financial fraud and other cyber crimes leading to massive losses worldwide, with a Southern California food-distribution company among the victims, they announced on Tuesday, Aug. 29.

The Qakbot malware infected more than 700,000 victim computers worldwide, with 200,000 of those in the U.S., federal authorities said during a press conference in downtown Los Angeles, before its infrastructure was taken down.

The malware was being deleted from those computers, preventing it from doing more harm.

The operation also involved actions in France, Germany, the Netherlands, the United Kingdom, Romania and Latvia. The Department of Justice said authorities had seized more than $8.6 million in cryptocurrency in illicit profits.

It’s the largest United States-led financial and technical disruption of an illegal botnet infrastructure, according to the Department of Justice.

FBI Assistant Director in Charge Don Alway announces the takedown of Qakbot malware. (Photo by Sarah Reingewirtz, Los Angeles Daily News/SCNG) 

“An international partnership led by the Justice Department and the FBI has resulted in the dismantling of Qakbot, one of the most notorious botnets ever, responsible for massive losses to victims around the world,” said Martin Estrada, a U.S. attorney.

Qakbot, controlled by a cybercriminal organization, was used to target critical industries nationwide by sending spam email messages containing malicious attachments or hyperlinks, said Thom Mrozek, a spokesman for the U.S. Attorney’s Office.

Qakbot can then deliver additional malware, including ransomware, used to seek payments in bitcoin before returning access to the victim’s computer networks, Mrozek said.

Once a victim computer is infected, it becomes part of a botnet, or robot network. Cybercriminals then have remote access to all of the infected computers in a coordinated manner, Mrozek said.

Owners and operators of the victim computers are usually unaware of the infection.

In the past year, criminals not yet tied to Qakbot attacked computers of the San Bernardino County Sheriff’s Department, the Los Angeles Unified School District and hospitals run by Prospect Medical Holdings — “and by doing that, shut down emergency rooms and medical facilities throughout the country,” Estrada said.

From October 2021 to April 2023, evidence collected by investigators shows Qakbot administrators received $58 million in ransoms, Mrozek said.

Related Articles

Business |


Vegan Sam Bankman-Fried is subsisting only on bread and water in jail, his attorneys say

Business |


What is crypto lending and how does it work?

Business |


FTX Founder Bankman-Fried, who had been living in Palo Alto, jailed in NYC

Beginning Friday, the feds’ Operation Duck Hunt gained access to the Qakbot botnet, redirecting botnet traffic to and through servers controlled by law enforcement and instructing operators of infected computers to download a Qakbot “uninstall” file that disconnected victim computers from the botnet, federal authorities said.

U.S. victims included an engineering firm in Illinois, financial-services organizations in Alabama, Kansas and Maryland, and a defense manufacturer in Maryland. Further information about the Southern California-based food distribution company hit by malware was not disclosed.

“Qakbot was the botnet of choice for some of the most infamous ransomware gangs, but we have now taken it out,” Estrada said.

Federal authorities did not disclose whether any arrests were made in connection with Qakbot or identify any possible suspects, citing the ongoing investigation.