The FBI, in collaboration with the US Justice Department and European partners, dismantled the notorious Qakbot malware and botnet.

Spanning the United States, France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom, this operation marks one of the most substantial US-led disruptions of a cybercriminal infrastructure responsible for ransomware attacks, financial fraud, and various other cybercrimes.

FBI Director Christopher Wray commented on this success, saying; “The FBI neutralized this far-reaching criminal supply chain, cutting it off at the knees.”

The Qakbot malware infiltrated victim computers primarily through malicious attachments or links within spam emails. 

Once a user engaged with these elements, Qakbot would unleash additional malware, including ransomware, onto their computer. 

Simultaneously, the compromised computer joined a botnet, enabling remote control by cybercriminals, often without the user's knowledge.

Since its inception in 2008, the Qakbot malware has been a key player in ransomware attacks and other cybercrimes, resulting in hundreds of millions of dollars in losses for individuals and businesses in the US and abroad.

FBI Director Wray said; “This botnet provided cybercriminals like these with a command-and-control infrastructure consisting of hundreds of thousands of computers used to carry out attacks against individuals and businesses all around the globe”.

As part of this operation, the FBI gained lawful access to Qakbot's infrastructure, identifying over 700,000 infected computers globally, with more than 200,000 located in the US. 

To dismantle the botnet, the FBI redirected Qakbot's traffic to Bureau-controlled servers. 

These servers instructed infected computers to download an uninstaller, effectively removing the Qakbot malware and severing their ties to the botnet, preventing further infections.

FBI Director Wray expressed gratitude to the dedicated teams at FBI Los Angeles, FBI Headquarters' Cyber Division, and international partners, acknowledging their critical role in this operation.

Dubbed ‘Duck Hunt’, the operation saw the FBI, Europol, and law enforcement partners seizing over 50 Qakbot servers and identifying more than 700,000 infected computers. 

While the dismantling of this network has been a significant achievement, cybersecurity experts caution that it may be a temporary setback, as restarting such a vast network could take considerable time.

“This will cause a lot of disruption to some gangs in the short term, but it will do nothing from it being rebooted,” said Chester Wisniewski, a cybersecurity expert from Sophos.

“Albeit, it takes a long time to recruit 700,000 PCs.”