The FBI has taken down one of the biggest botnets in the world


The FBI, together with a number of international partners, has taken down Qakbot, arguably the biggest and most disruptive botnet malicious network out there.

In a video announcement posted by the FBI, FBI Director Christopher Wray said the botnet was used by countless cybercriminals, including ransomware operators, to target organizations from all verticals, and of all shapes and sizes, across the United States.

"The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast," Wray said in the video. "This botnet provided cybercriminals like these with a command-and-control infrastructure consisting of hundreds of thousands of computers used to carry out attacks against individuals and businesses all around the globe."

Ransomware attacks

Qakbot facilitated at least 40 ransomware attacks which resulted in hundreds of millions of dollars in damages. High-profile ransomware operators, such as Conti, REvil, BlackBasta, and others, were frequent customers of Qaknet.

Read more

> Fujifilm taken down by serious ransomware attack

> This notorious malware has returned after months away

> These are the best firewalls around

The botnet operated more than 700,000 endpoints, which included some 200,000 on US soil.

During the operation, codenamed “Duck Hunt”, the FBI managed to redirect the botnet’s traffic to servers under the agency’s control, which allowed it to deploy an uninstaller to all affected devices. In other words, it sent a command to all installed malware to uninstall itself. The victims never knew what happened, but the FBI did say that it notified them using IP address and routing information used while deploying the uninstaller.

Furthermore, the FBI managed to infiltrate a computer owned by one of Qakbot’s administrators and retrieve important documents.

Citing court documents, “those files included communications (e.g., chats discussed in detail below) between the Qakbot administrators and co-conspirators and a directory containing several files holding information about virtual currency wallets,". "A different file, found elsewhere on the same computer, named 'payments.txt,' contained a list of ransomware victims, details about the ransomware group, computer system details, dates, and an indication of the amount of BTC paid to the Qakbot administrators in connection with the ransomware attack."