by
John R. Fischer, Senior Reporter | September 08, 2023
The FBI and international agencies have uninstalled Qakbot malware coding in 700,000 computers worldwide.
Over 700,000 computers, including ones used by healthcare facilities worldwide, are now free of Qakbot malware thanks to an FBI-led international operation that took down the malicious code’s infrastructure and recovered approximately $8.6 million in cryptocurrency that attackers acquired illegally.
In recent years, notorious ransomware gangs, including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta, have used Qakbot to target and attack companies in various industries, including healthcare, banking, education, and government agencies, demanding ransoms in bitcoin in exchange for returning access to computer networks.
The malware is controlled by a cybercriminal organization and primarily infects computers through spam email messages with malicious attachments or hyperlinks, creating a “botnet” or network of compromised computers that gives the attackers complete remote control over them without the owners’ knowledge or awareness.
The FBI accessed Qakbot infrastructure and identified over 700,000 infected computers, including over 200,000 in the U.S. It redirected Qakbot botnet traffic to and through FBI-controlled servers, which provided all infected computers worldwide with a downloadable file created by law enforcement to uninstall the malware.
“We applaud the efforts of the FBI and allied partners to use innovative methods and to conduct disruptive cyber operations against the infrastructure used by cyber adversaries. These operations degrade the capabilities of ransomware groups to launch attacks against the U.S., including those against hospitals,” John Riggi, the national advisor for cybersecurity and risk for the American Hospital Association, said in a statement.
For the takedown, the FBI partnered with agencies in France, Germany, the Netherlands, the U.K., Romania, and Latvia. It also is working with Zscaler, Microsoft Digital Crimes Unit, the Cybersecurity and Infrastructure Security Agency, the National Cyber Forensics and Training Alliance, Shadowserver, and Have I Been Pwned to identify and help affected victims.
This solution removes malware installed by Qakbot actors but not other viruses within computers and does not allow access to or modify owner or user information on them.
In a joint statement, the FBI and CISA said that organizations should use remediation measures to identify Qakbot-related infections and reduce the likelihood of such attacks. These include having a recovery plan in place; ensuring all account passwords comply with National Institute of Standards and Technology guidelines; using phishing-resistant, multifactor authentication; keeping operating systems, software, and firmware up-to-date; auditing user accounts; and segmenting networks, among other recommendations.
Back to HCB News
