FBI Disrupts Massive Qakbot Botnet Driving Millions in Ransomware Losses


August 29, 2023

World map

The FBI and the Justice Department spearheaded a multinational operation to “disrupt and dismantle” the massive Qakbot botnet that has driven millions in losses from ransomware attacks.

Qakbot malware has been used in ransomware and other attacks since at least 2008 that caused hundreds of millions of dollars in losses in the U.S. and other countries.

The takedown operation involved authorities from the U.S., France, Germany, the Netherlands, Romania, Latvia, and the UK, making it “one of the largest U.S.-led disruptions of a botnet infrastructure” in history.

"The FBI neutralized this far-reaching criminal supply chain, cutting it off at the knees," said FBI Director Christopher Wray. "The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast."

"This botnet provided cybercriminals like these with a command-and-control infrastructure consisting of hundreds of thousands of computers used to carry out attacks against individuals and businesses all around the globe.”

Takeaway: The Qakbot botnet delivered the notorious Qakbot Trojan which has been leveraged to compromise systems and steal sensitive data for the better part of two decades. This advanced malware evolved, gaining the ability to propagate, evade detection, and deploy other payloads.  

Qakbot has been observed acting as a dropper in major ransomware campaigns and was first linked to the delivery of the ProLock and Egregor ransomware variants.  

Qakbot operations first compromise a targeted system and establishes persistence, then download additional payloads like ransomware that encrypt victim files. The ability to deliver other malware like ransomware made Qakbot a tremendous threat to organizations.  

Accurate data is hard to come by when assessing the wider impact of ransomware attacks, as private organizations and individuals are not required to report attacks.

In 2022, the FBI spent seven months observing the infamous Hive ransomware gang after infiltrating their operations. Based on their observations, the agency came to the shocking conclusion that only about 20% of attacks were being reported to law enforcement.

Ransomware is big business, and the financial impact of ransomware attacks is one we all bear, and it is going to become a significant drag on our economy. The only way we can counter its growth as a major industry vertical is to disincentivize the attackers.  

The only way to disincentivize them is to make ransomware attacks unprofitable, and raising the cost for attackers with operations like the takedown of the Qakbot botnet increases the burden for these attackers, which is a good start, but it’s just a drop in the bucket.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.