Operation Duck Hunt: Multinational Operation Dismantles Qakbot Botnet

The FBI and the Justice Department have announced a multinational operation that has dismantled the infrastructure of the Qakbot botnet and resulted in the seizure of more than $8.6 million in cryptocurrency.

Operation ‘Duck Hunt’ took place in the U.S. and cross Europe, in France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom.

What is Qakbot?

Qakbot, also known as Qbot and Pinkslipbot, was one of the largest known botnets – networks of compromised computers, remotely controlled by criminals, typically without their owners’ or operators’ knowledge.  It comprised at least 700,000 infected computers worldwide, including more than 200,000 in the U.S.

Compromised computers were infected “primarily through emails that contained malicious attachments or links,” said the FBI.

Since its creation in 2008, Qakbot was used “as an initial means of infection by many prolific ransomware groups in recent years, including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta” and was known to have been responsible for operations that netted its administrators approximately $58 million in victim payments between October 2021 and April 2023.

According to the FBI, its “victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast.”

Dead duck

According to the Justice Department, the Operation ‘Duck Hunt’ team managed to “redirect Qakbot botnet traffic to and through servers controlled by the FBI, which in turn instructed infected computers in the United States and elsewhere to download a file created by law enforcement that would uninstall the Qakbot malware. This uninstaller was designed to untether the victim computer from the Qakbot botnet, preventing further installation of malware through Qakbot.”

TechCrunch provides further details.

Attorney General Merrick B. Garland said, “Cybercriminals who rely on malware like Qakbot to steal private data from innocent victims have been reminded today that they do not operate outside the bounds of the law.”

How to prevent a computer becoming part of a botnet

Botnet software is spread like other malware, predominantly via phishing emails and malicious websites.

So, as well technical controls, such as conducting regular scans to help identify vulnerabilities, keeping software, apps and systems updated to reduce the risk of vulnerabilities being exploited, using antivirus and anti-malware software, and configuring firewalls to prevent unauthorized access, it’s important to train staff to beware of the security risks they face.

And if you do fall victim, it’s critical to ensure you have the measures in place to ensure you can react quickly and effectively. If you need to learn more about CIR (cyber incident response) management, you’ll be interested in our upcoming webinar.

Free webinar: Cyber Incident Response Tabletop Exercises

Wednesday, September 13, 2023, 11:00 – 12:00 (EST)

Tabletop exercises are vital for implementing a robust CIR plan within your organization. These simulations train your team to respond to real cyber incidents swiftly and effectively by identifying vulnerabilities and weaknesses in your defenses.

They foster collaboration among departments, ensuring everyone is prepared and aligned in their roles. By refining response strategies and addressing gaps, tabletop exercises boost your organization’s resilience against cyber attacks.

This free webinar covers:

  • The significance of CIR and key stages in the incident response process using NIST SP 800-61 Revision 2
  • Live CIR tabletop ransomware and phishing attack exercises with audience participation
  • Responses and techniques to mitigate the impact of cybersecurity incidents
  • GRCI Law’s CIR products and how they can benefit your organization

There will also be a Q&A at the end.