On August 29, 2023, the US FBI announced that it had dismantled the multinational cyber hacking and ransomware operation Qakbot, or Qbot. After Hive, Emotet or Zloader, QakBot has now been hit. But is the botnet destroyed and the ransomware unusable or just paralyzed, as was the case with Emotet?
The Qakbot malware infected victims via spam emails containing fraudulent attachments and links. It also served as a platform for ransomware operators. Once the victim's computer was cracked, it became part of the larger Qakbot bot network, which hijacked other computers. 700 computers were affected worldwide, including at financial institutions, government contractors and medical device manufacturers.
What is Qakbot?
Qakbot was operated by Eastern European hackers and has been active since 2008. It is the most frequently discovered malware, affecting 2023 percent of corporate networks worldwide in the first half of 11. Qakbot is particularly tricky: it is a multi-purpose malware that resembles a Swiss Army knife. It allows cybercriminals to directly steal data (including access to financial accounts, payment cards) or computers, while also serving as a platform to infect victims' networks with additional malware and ransomware. Primarily distributed via phishing emails, Qakbot is highly adaptable and flexible, allowing the malware to bypass security measures. It uses well-known file types such as OneNote, PDF, HTML, ZIP, or LNK to deceive users. Says Sergey Shykevich, Threat Intelligence Manager at Check Point Research.
This is what Google subsidiary Mandiant says about Qakbot
The FBI has worked with partners around the world to neutralize the Qakbot malware infrastructure. The infrastructure was used by cybercriminals to spread ransomware. Ransomware is still often used by cybercriminals to pursue economic goals. According to the M-Trends 2023 research report, Mandiant's 2022 investigations involved ransomware in 18 percent of cases.
Sandra Joyce, VP, Mandiant Intelligence at Google Cloud explains: “Ransomware is a major national security challenge that we must take just as seriously as threats from nation states like Russia or North Korea. The fundamentals of the business model are solid and this problem will not be solved any time soon. Many of the tools we have at our disposal will not have a lasting impact. These groups will recover and come back. But we have a moral obligation to pause these operations whenever possible.”
Qakbot comment by Arctic Wolf
The duck hunt was successful: media reports that the FBI managed to dismantle the botnet, which was controlled via the Qakbot malware, as part of an international law enforcement operation called “Duck Hunt” with forces from Germany, the Netherlands, Romania, Latvia and the United Kingdom became.
“The fact that the “duck hunt” on Qakbot was successful is positive for two reasons: on the one hand, we see that the international law enforcement authorities are working together better and better, and on the other hand, it is another sign that organized cybercrime is on their heels and they cannot do their mischief undisturbed.
Nevertheless, this important breakthrough should not be overestimated. Although the botnet has been destroyed for the time being, the malware source codes still exist - just like their developers. It is to be expected that they will regroup and resume their 'work' within a few weeks or months.
Companies can check whether their credentials have been stolen by the Qakbot actors. This works by providing your own email address Have I Been Pwned or on the Dutch police website.” So Dr. Sebastian Schmerl, Director Security Services EMEA Arctic Wolf.