FBI dismantles Qakbot network used in major ransomware attacks

Some $8.6 million in stolen cryptocurrency related to the network’s operations also was seized and will be returned to victims, the FBI said.

“The FBI neutralized this far-reaching criminal supply chain, cutting it off at the knees,” FBI Director Christopher A. Wray said in an announcement.

Qakbot, first discovered in 2008, has frequently targeted victims’ computers through spam email messages containing malicious hyperlinks or attachments. Victim machines would then become another link in the network, surreptitiously under control of those seeking to use the network for cybercrime. Some 700,000 victims have been identified worldwide, with 200,000 of them in the United States, according to the Justice Department.

The botnet enabled the operations of number of high-profile ransomware groups, including Conti and REvil, that targeted organizations such as hospitals, schools and municipal governments, holding their sensitive data hostage in exchange for a ransom payment. Victims have included a power engineering firm based in Illinois, a financial services company in Alabama and a food distribution company in California, according to authorities, who added that Qakbot administrators received about $58 million in ransoms paid by victims between October 2021 and April 2023.

The FBI said it disabled the infrastructure by tricking computers infected with the malware into distributing and downloading a file created that directed computers to uninstall the malware and untether themselves from the botnet.

Affected victims would not know that the uninstall mechanism was active, according to senior FBI and Justice Department officials who spoke on the condition of anonymity to provide reporters with details about the operation.

The senior officials declined to comment on whether the Qakbot network was linked to any one country. The FBI did not announce any arrests and said the investigation into who was behind the network is ongoing.