QakBot botnets have gone down - is that so?

The United States Department of Justice, in cooperation with international partners, conducted a large-scale operation to dismantle the Qakbot botnet and malware that had infected over 700,000 computers worldwide. The operation spanned several countries, including the United States, France, Germany, the Netherlands, the United Kingdom, Romania and Latvia. The aim of the operation was to remove the Qakbot malware from victims' computers and disrupt its infrastructure.

What happened? The most important findings.

Disrupting the botnet: Qakbot, also known as "Qbot" or "Pinkslipbot", was used by cybercriminals to attack critical industries worldwide. It infected computers mainly via spam emails with malicious attachments or hyperlinks. Once infected, it was able to spread further malware, including ransomware.

Several notorious ransomware groups such as Conti, ProLock and REvil used Qakbot for initial infections.

Impact of ransomware: Ransomware attacks linked to Qakbot have caused significant damage to businesses, healthcare providers and government agencies worldwide. These attacks resulted in significant financial losses, including approximately $58 million in ransom paid by victims between October 2021 and April 2023.

Deinstallation of Qakbot: As part of the takedown, the FBI gained access to Qakbot's infrastructure and identified infected computers worldwide, including more than 200,000 in the United States. The FBI redirected Qakbot traffic to servers under its control and instructed infected computers to download a law enforcement-created uninstaller. This action was aimed at removing Qakbot from victims' computers and preventing further malware installations.

Collaboration: The operation involved working with several organisations, including Zscaler, the Cybersecurity and Infrastructure Security Agency, Shadowserver, Microsoft Digital Crimes Unit, the National Cyber Forensics and Training Alliance and Have I Been Pwned. International collaboration was critical as agencies and authorities from multiple countries were involved in the effort.

Victim Support: Efforts were made to inform and support victims affected by Qakbot. Resources and information for victims were made available via a dedicated website.

Overall, this operation was an important step in dismantling a large cybercriminal network responsible for ransomware attacks and financial fraud, with a focus on protecting victims and preventing further harm.

In Germany, the investigation has been ongoing since the summer of 2022.

With the dismantling of the dangerous malware network Qakbot, our investigative authorities have once again succeeded in striking a major and effective blow against international cybercrime.

Federal Minister of the Interior

But what does this mean for those affected? And how can I find out whether I am or was affected?

From 25 August 2023, the Beginning on 25 August 2023, law enforcement authorities gained access to the Qakbot botnet, redirected botnet traffic to and through the law enforcement-controlled servers, and instructed the Qakbot-infected computers to download a Qakbot uninstaller file that uninstalled the Qakbot malware from the infected computer. The Qakbot uninstaller file did not remove any other malware that was already installed on the infected computers. Instead, it was designed to prevent further Qakbot malware from being installed on the infected computer by disconnecting the victim computer from the Qakbot botnet.

We have developed special detection rules in our Security Operation Centre to identify whether a Qakbot infection has occurred. The hash value for the uninstallation file is now public:

Hash value for the Qakbot uninstaller file (SHA-256): 7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117

What else do I need to know?

Well, the Qakbot networks have been smashed, but those responsible have not been caught. This means that, in theory, things could go as they have so often before: there will be new organisations that use similar mechanisms but a different name. So stay vigilant and check your infrastructures.