Last week, a pernicious and multifunctional malware was silenced as a result of Operation "Duck Hunt," a collaborative effort led by the FBI. This operation successfully extracted the malicious code from 700,000 compromised systems, forcibly severing their connection to the Qakbot botnet. Additionally, the FBI took control of 52 servers and recovered $8.6 million in stolen cryptocurrency, vowing to return these funds to the rightful victims.
Renowned for affording cybercriminals an initial entry point into a victim's network, Qakbot stands as a notorious banking trojan. This malevolent tool has enabled hackers to purchase access and deploy their own malware, including ransomware. According to U.S. authorities, Qakbot's involvement has played a role in over 40 ransomware incidents within the last year and a half, resulting in a staggering $58 million in ransom payments.
Among Qakbot's ransomware targets were an engineering firm based in Illinois, financial service entities located in Alabama and Kansas, as well as a defense manufacturer in Maryland and a food distribution company in Southern California, as stated by Estrada.
The FBI's operation involved rerouting the botnet's traffic to government-controlled servers, effectively giving them control.
Leveraging this access, the FBI directed Qakbot-infected devices globally to download an uninstaller developed by the agency. This liberated the victim's computer from the botnet, putting a halt to any future malware installations via Qakbot.
Qakbot strategically maintains a presence, ensuring persistence within the system.
This enables other threat actors to gain access for purposes like deploying ransomware, cryptocurrency mining, or causing post-exploitation effects. This insight comes from John Hammond, a senior security researcher at Huntress. Noteworthy ransomware groups employing this tactic encompass Black Basta, Conti, Egregor, MegaCortex, ProLock, and REvil.
Various malicious groups are operating from Russia, where citizens are not extradited, and many cybercrime service providers pose a significant challenge to apprehend. Unless these criminal hackers travel abroad, it becomes difficult to reach them. With these wrongdoers evading capture, there is little to hinder them from modifying the core code of their malware and botnet command-and-control structure, making it more resilient to disruption. This situation paves the way for the potential emergence of an enhanced version of Qakbot.