On August 29, the Justice Department and FBI confirmed to had taken down Qakbot by issuing a search warrant to essentially take over the servers that ran the botnet. The critical malware Qakbot was then forcibly removed from hundreds of computers by the botnet after being distributed to them by federal agents.

In the investigations, the agencies found that Quakbot had access to over 700,000 infected computers, 200,000 of which were based in the US. 

Qakbot Botnet

Qakbot, aka Qbot, initially commenced its operations in the year 2008, as a Windows-based Trojan designed to acquire access to targeted users’ bank account credentials. It was conventionally spread as malware attachments in phishing emails. 

The malware was also designed to develop a botnet, that would follow the commands of a hacker-controlled server. As a result, the Qakbot developers were able to charge other cybercriminal organizations for access to their hacked systems.

The cybercrime organizations might then unleash ransomware on the affected systems or steal data from them. Qakbot has been connected to a number of ransomware gangs, including Conti, Black Basta, Royal, Revil, and Lockbit, among others, by US authorities and security researchers. The unidentified Qakbot operators received fees related to victim ransom payments totalling around $58 million in return. The botnet's operations are anticipated to have caused hundreds of millions of dollars in total victim losses. 

The Operation 

The application for the operation’s seizure warrant describes that the FBI gained access to the servers operating the Qakbot botnet infrastructure, which was hosted by an anonymous web hosting company, which also included systems used by the Qakbot operators. 

The application further noted that, “Through its investigation, the FBI has gained a comprehensive understanding of the structure and function of the Qakbot botnet[…]Based on that knowledge, the FBI has developed a means to identify infected computers, collect information from them about the infection, disconnect them from the Qakbot botnet and prevent the Qakbot administrators from further communicating with those infected computers.”

Reportedly, Qakbots uses a network in three Tiers in order to control the malware installed on the infected computers.

According to the FBI, Tier 1 systems are regular home or business computers that are infected with Qakbot and also include an additional "supernode" module, making them a part of the botnet's global command and control network. Many of these machines are situated in the United States. In order to hide the primary Tier 3 command and control server, which the administrators use to send encrypted commands to its hundreds of thousands of infected workstations, Tier 1 computers communicate with Tier 2 systems, which act as a proxy for network traffic.

By gaining access to these systems and Qackbot’s encryption keys, the FBI could decode and get a better understanding of the encrypted commands. Moreover, with access to the encryption keys, the FBI can command the Tier 1 “supermode” computers to swap and replace the supernode module with those developed by the FBI, which contains new encryption keys, snatching access to Qakbot from their own administrators. 

“Qakbot was the botnet of choice for some of the most infamous ransomware gangs, but we have now taken it out,” US Attorney Martin Estrada said in the announcement. 

The US is yet to provide further details on the issue. However, the Justice Department noted that “The FBI was able to redirect Qakbot botnet traffic to and through servers controlled by the FBI, which in turn instructed infected computers in the United States and elsewhere to download a file created by law enforcement that would uninstall the Qakbot malware.”