International law enforcement coalition takes down the Qakbot network

'The FBI neutralised this far-reaching criminal supply chain, cutting it off at the knees,' says director Wray

International law enforcement coalition takes down the Qakbot network

Law enforcement and intelligence agencies in the US and Europe say they have taken down the Qakbot botnet, used by criminal gangs to spread ransomware.

According to the FBI, Qakbot - also known as QBot and Pinkslipbot - was controlled by an unnamed cybercriminal organisation that leased access to the malware to other threat actors. Major ransomware groups like Conti, Ryuk, Egregor and Black Basta paid Qakbot operators fees to use the malware, which was installed on more than 700,000 devices.

These devices were generally infected through users clicking a link in spam emails. Its operators were also observed using the Follina flaw in Microsoft Office to deliver the malware.

The FBI gained access to Qakbot's infrastructure and redirected botnet traffic through its servers. On Saturday, together with intelligence agencies and police forces in the UK, France, Germany, the Netherlands, Romania and Latvia, it then pushed an uninstaller to remove Qakbot from victims' computers. More than $8 million in cryptocurrency was also seized from the operators.

"This botnet provided cybercriminals like these with a command-and-control infrastructure consisting of hundreds of thousands of computers used to carry out attacks against individuals and businesses all around the globe," said FBI director Christopher Wray in a press release.

"The FBI neutralised this far-reaching criminal supply chain, cutting it off at the knees."

Will Lyne, head of cyber intelligence at the UK National Crime Agency, said in a statement: "This investigation has taken out a prolific malware that caused significant damage to victims in the UK and around the world. Qakbot was a key enabler within the cyber crime ecosystem, facilitating ransomware attacks and other serious threats."

Qakbot, a multifaceted banking Trojan that first emerged around 2008, has been used in several major ransomware attacks. Between October 2021-April 2023, Qakbot operators received around $58 million in ransom fees, according to the US Department of Justice.

Threat actors use infected devices to secure initial access to a network, and then to drop payloads such as remote-access software, post-exploitation tools and ransomware.

Most recently, Qakbot has been linked to the Black Basta ransomware group which breached more than 140 organisations this year, according to security company ReliaQuest.

Earlier this year, Black Basta breached service provider Capita and then compromised the accounts of more than 100,000 members of the pension schemes run by Marks and Spencer and Diageo.

Qakbot was the most popular malware loader deployed by cybercriminals this year, constituting 30% of all such actions, ReliaQuest said on a blog post.

In most cases Qakbot victims did not realise their devices were part of the botnet. A checking service has been created whereby people can check if their computers may have been infected using Have I Been Pwned or the Dutch National Police website.

The international take-down will have delivered a severe knock to Qakbot's operations, but software can always be reinstalled. It is too early to say whether the botnet is out of action for good, but it would certainly take some time to infect another 700,000 machines.

In the meantime, criminal gangs will probably turn to alternative loaders such as SocGholish and RaspberryRobin.