Qakbot was likely the oldest malware botnet still continually modified and heavily used by advanced criminal attackers in 2023. Established in 2007, it finally met its end in August at the hands of a joint operation spearheaded by the FBI and involving numerous other law enforcement agencies throughout Europe.
While the infrastructure was seized and it appears to be entirely out of operation at this time, no arrests were made. That means the operators will scuttle off to either attempt to rebuild (via new infected devices) or to join other hacking groups. But it does provide further evidence that the Biden administration is serious about rallying international partners in pursuit of the biggest cyber criminal operators, and that none of their assets are truly safe any longer.
Qakbot malware cleaned from victim computers
At this point it’s easy to be cynical about just one ransomware tool or group being taken out. The flurry of law enforcement activity that has taken place since the international embarrassment of the Colonial Pipeline and JBS attacks in 2021 is much more than has happened in the prior years of living under the threat of ransomware, however. Qakbot is a particularly big “get”; it remained among the most active malware botnets in the world throughout 2023 prior to its takedown. Many career criminals are, at minimum, severely inconvenienced and slowed down by its termination.
Qakbot started out in 2007 as a not-particularly-remarkable trojan specifically aimed at draining money from banks. High rates of success led to it being adopted and modified by the criminal underground into a multipurpose malware botnet, however, and it has been a go-to tool since ransomware first emerged as a leading global threat roughly a decade ago.
It has since done hundreds of millions of dollars in damages, and is thought to have been a part of ransomware attacks that cumulatively collected about $58 million in payments just over the past 18 months. Most of the victims are unwitting members of the malware botnet, however. Qakbot survived as long as it did due to careful design, hiding from antivirus scans in program memory, continually checking in with command-and-control (once every few minutes) to receive updates, and participating in attacks without ever using enough individual system resources to catch someone’s attention.
In recent years, US law enforcement has begun automatically cleaning malware off of victim PCs by redirecting the communications to the command-and-control server. This is a controversial topic, as it represents a potential violation of rights and could become a serious problem if the cleanup process goes wrong. However, this cleanup (along with the one done for Emotet in 2021) is creating a growing body of evidence that this practice can be safe and effective if approved by a court and executed properly.
Malware botnet likely crippled for life, if not gone forever
It is always possible that Qakbot could be rebuilt, but given the thorough seizure of assets it seems much more likely its operators will move on to other malware botnet projects. Qakbot had a very impressive run, however, infecting about 200,000 computers in the US and a total of about 700,000 worldwide.
Qakbot-infected computer owners should also be aware that they are not free and clear after the FBI cleaning (which should be disclosed to them upon connection to the newly captured servers). While it will likely neutralize all traces of Qakbot, it is possible the operators could have planted other malware at any point during the infection.
While most of the money stolen by Qakbot is long gone, recent victims might be getting some additional good news. The Department of Justice reports that over $8 million in cryptocurrency was seized with the other assets, and they are working to identify who it belongs to and return it to them.