In a coordinated effort, U.S. authorities have successfully disrupted the Qakbot botnet, a notorious cybercriminal network responsible for infecting countless computers worldwide. This operation, dubbed “Duck Hunt,” was executed after the U.S. Department of Justice (DOJ) obtained search and seizure warrants, targeting the botnet's infrastructure.
DOJ's Official Documents Reveal Details
According to official documents from the DOJ, the U.S. Federal Bureau of Investigation (FBI) has been investigating the Qakbot malicious software and its associated botnet. The malware, controlled by a cybercriminal organization, targeted critical industries globally. The Qakbot administrators facilitated further attacks on victims by ransomware actors and received a portion of the ransom proceeds in virtual currency.
The documents further state, “The Qakbot malware is controlled by a cybercriminal organization, and its operators and administrators use Qakbot to target critical industries worldwide. The Qakbot administrators facilitate further attacks on victims by ransomware actors and are paid portions of the ransom proceeds using virtual currency.”
Virtual Currency and the Qakbot Wallets
The FBI's investigation revealed that the Qakbot organization's criminal activities were funded through virtual currency. They identified 20 virtual currency wallets, referred to as the “Qakbot Wallets,” which were believed to contain the proceeds of the Qakbot organization's illicit activities. The contents of these wallets were intended to be transferred to U.S. government-controlled virtual currency wallets upon the issuance of a seizure warrant.
The documents also highlighted the vast reach of the Qakbot malware. As of June 2023, approximately 200,000 active Qakbot victim computers were located in the U.S., with around 700,000 victim computers identified globally.
Ransomware Groups and Their Association with Qakbot
The Qakbot malware has been linked to several high-profile ransomware groups, including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta. These groups typically gain access to a victim's computer or network, steal data, and then encrypt the victim's computers. They then extort the victims, demanding payment to restore access or prevent the release of stolen data on the internet. Payments are typically made in virtual currency, primarily Bitcoin.
The dismantling of the Qakbot botnet marks a significant victory for U.S. authorities in their ongoing battle against cybercrime. The operation's success underscores the importance of international cooperation and the need for continued vigilance in the face of evolving cyber threats.