Federal law enforcement officials have disrupted a malware known as Qakbot — a computer code used by cybercriminals to commit ransomware, financial fraud and other cyber crimes leading to massive losses worldwide, with a Southern California food-distribution company among the victims, they announced on Tuesday, Aug. 29.

The Qakbot malware infected more than 700,000 victim computers worldwide, with 200,000 of those in the U.S., federal authorities said, before it’s infrastructure was taken down.

The malware was being deleted from those computers, preventing it from doing more harm.

The operation also involved actions in France, Germany, the Netherlands, the United Kingdom, Romania and Latvia. The Department of Justice said authorities had seized more than $8.6 million in cryptocurrency in illicit profits.

It’s the largest United States-led financial and technical disruption of an illegal botnet infrastructure, according to the Department of Justice.

“An international partnership led by the Justice Department and the FBI has resulted in the dismantling of Qakbot, one of the most notorious botnets ever, responsible for massive losses to victims around the world,” U.S. Attorney Martin Estrada said.

Qakbot, controlled by a cybercriminal organization, was used to target critical industries nationwide by sending spam email messages containing malicious attachments or hyperlinks, said Thom Mrozek, a spokesman for the U.S. Attorney’s Office.

Qakbot can then deliver additional malware, including ransomware, used to seek payments in bitcoin before returning access to the victim’s computer networks, Mrozek said.

Once a victim computer is infected, it becomes part of a botnet, or robot network. Cybercriminals then have remote access to all of the infected computers in a coordinated manner, Mrozek said.

Owners and operators of the victim computers are usually unaware of the infection.

In the past year, criminals not yet tied to Qakbot attacked computers of the San Bernardino County Sheriff’s Department, the Los Angeles Unified School District and hospitals run by Prospect Medical Holdings — “and by doing that, shut down emergency rooms and medical facilities throughout the country,” Estrada said.

From October 2021 to April 2023, evidence collected by investigators shows Qakbot administrators received $58 million in ransoms, Mrozek said.

Beginning Friday, the feds’ Operation Duck Hunt gained access to the Qakbot botnet, redirecting botnet traffic to and through servers controlled by law enforcement and instructing operators of infected computers to download a Qakbot “uninstall” file that disconnected victim computers from the botnet, federal authorities said.

U.S. victims included a power engineering firm in Illinois, financial services organizations in Alabama, Kansas and Maryland, and a defense manufacturer in Maryland. Further information about the Southern California-based food distribution company hit by malware was not disclosed.

“Qakbot was the botnet of choice for some of the most infamous ransomware gangs, but we have now taken it out,” Estrada said.

Federal authorities did not disclose whether any arrests were made in connection with Qakbot or identify any possible suspects, citing the ongoing investigation.

Related Articles