{"id":16659,"date":"2023-09-01T11:56:52","date_gmt":"2023-09-01T11:56:52","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=16659"},"modified":"2023-09-01T12:07:25","modified_gmt":"2023-09-01T12:07:25","slug":"qakbot-hacked-removed-from-700k-machines","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/qakbot-hacked-removed-from-700k-machines\/","title":{"rendered":"Qakbot Botnet Hacked, Removed from Over 700,000 Machines"},"content":{"rendered":"<p>Qakbot, a notorious botnet, has been taken down by a multinational law enforcement operation spearheaded by the FBI, <strong>Operation \u201cDuck Hunt\u201d<\/strong>. The botnet, also called Qbot and Pinkslipbot, that considered one of the largest and longest-running botnets to date. According to conservative estimates, law enforcement officials have linked Qakbot to<strong> at least 40 ransomware attacks<\/strong>. These attacks targeted companies, healthcare providers, and government agencies worldwide, causing damages of hundreds of millions of dollars. Over the past 18 months, the losses due to these attacks have exceeded 58 million dollars.<\/p>\n<p>Qakbot has been known to deploy multiple types of malware, trojans, and highly destructive ransomware variants. They also used their affiliates or operators, <a href=\"http:\/\/gridinsoft.com\/ransomware\/conti\">which include Conti<\/a>, ProLock, Egregor, REvil, RansomExx, MegaCortex, and <a href=\"https:\/\/gridinsoft.com\/blogs\/conti-ransomware-2023\/\">most recently, Black Basta<\/a>. <strong>It targets the United States<\/strong> and other global infrastructures, including the Election Infrastructure Subsector, Financial Services, Emergency Services, and Commercial Facilities Sectors.<\/p>\n<h2>How has the Qakbot botnet been detected?<\/h2>\n<p>The FBI found a number of files related to the operation of the <a href=\"https:\/\/gridinsoft.com\/spyware\/qakbot\">Qakbot botnet<\/a> on a computer used by one of its administrators. These files included<strong> chats between the Qakbot administrators and co-conspirators<\/strong>. Also a directory containing several files that held information related to virtual currency wallets, according to court documents, that included a computer used by one of its admins after it <strong>had infected over 700,000<\/strong> computers, with over 200,000 in the United States.<\/p>\n<figure id=\"attachment_16669\" aria-describedby=\"caption-attachment-16669\" style=\"width: 790px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/09\/qbot-map.webp\" alt=\"QakBot activity \" width=\"790\" height=\"430\" class=\"size-full wp-image-16669\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/09\/qbot-map.webp 790w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/09\/qbot-map-300x163.webp 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/09\/qbot-map-768x418.webp 768w\" sizes=\"auto, (max-width: 790px) 100vw, 790px\" \/><figcaption id=\"caption-attachment-16669\" class=\"wp-caption-text\">Map of QakBot activity in the world<\/figcaption><\/figure>\n<p>While searching through the same computer, a separate file called <code>'payments.txt'<\/code> was discovered. It contained a <strong>list of individuals who had fallen victim<\/strong> to ransomware. It also included information <a href=\"https:\/\/loaris.app\/blogs\/ransomware-trends-at-a-glance\/\" target=\"_blank\" rel=\"noopener nofollow\">about the ransomware group<\/a>, details about their computer systems, dates of the attacks, and the amount of BTC paid to the Qakbot administrators in connection with the attacks.<\/p>\n<p>The agency <strong>redirected Qakbot traffic to its servers<\/strong>, giving the FBI the access they needed to remove the malware from compromised devices worldwide. This prevented the deployment of any additional malicious payloads.<\/p>\n<figure id=\"attachment_16671\" aria-describedby=\"caption-attachment-16671\" style=\"width: 790px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/09\/qbot-scheme.webp\" alt=\"Scheme of Qbot injections on the server\" width=\"790\" height=\"380\" class=\"size-full wp-image-16671\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/09\/qbot-scheme.webp 790w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/09\/qbot-scheme-300x144.webp 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/09\/qbot-scheme-768x369.webp 768w\" sizes=\"auto, (max-width: 790px) 100vw, 790px\" \/><figcaption id=\"caption-attachment-16671\" class=\"wp-caption-text\">Qbot Injection Scheme<\/figcaption><\/figure>\n<p>Victims were not informed when the uninstaller was executed <a href=\"https:\/\/howtofix.guide\/remove-malware-guide\/\" target=\"_blank\" rel=\"noopener nofollow\">to remove the malware<\/a> from their systems. Still, the <strong>FBI contacted them using IP addresses<\/strong> and routing information collected from their computers during removal.<\/p>\n<h2>Recommendations<\/h2>\n<p>Organizations must implement the recommendations provided in the joint CSA by CISA and FBI. This will help to lower the risk of QakBot-related activity and <strong>make it easier to detect QakBot-facilitated ransomware<\/strong> and malware infections. If you come across any incidents or anomalous activity, please feel free to contact any of the following organizations without any delay:<\/p>\n<ul>\n<li>CISA, either through the agency&#8217;s online tool (cisa.gov\/report) or the <a href=\"https:\/\/www.cisa.gov\/report\" rel=\"noopener noreferrer nofollow\" target=\"_blank\">24\/7 Operations Center<\/a> or (888) 282-0870. <\/li>\n<li><strong>FBI<\/strong> via a local field office. <\/li>\n<\/ul>\n<h2>How to prevent botnet attacks?<\/h2>\n<p><strong>Using anti-malware software<\/strong> is an important measure to protect your computer from online threats. Cybercriminals can use malware to steal your private information, monitor your online activity, or take over your computer and use it as a botnet. However, dependable anti-malware software can detect and remove malware before it can harm your system. To be proactive in safeguarding your computer, it&#8217;s need to regularly update your anti-malware software and carry out full system scans. It&#8217;s also crucial <strong>to keep your operating system<\/strong> and other software up to date, as software updates often provide security patches that address known vulnerabilities.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Qakbot, a notorious botnet, has been taken down by a multinational law enforcement operation spearheaded by the FBI, Operation \u201cDuck Hunt\u201d. The botnet, also called Qbot and Pinkslipbot, that considered one of the largest and longest-running botnets to date. According to conservative estimates, law enforcement officials have linked Qakbot to at least 40 ransomware attacks. [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":16668,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[15],"tags":[7,619,1480,55],"class_list":{"0":"post-16659","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security-news","8":"tag-botnet","9":"tag-cybersecurity","10":"tag-qakbot","11":"tag-ransomware"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/09\/GS_Blog_banner_Qakbot-Botnet-Hacked-Removed-from-Over-700000-Machines_1280x674.webp","author_info":{"display_name":"Stephanie Adlam","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/adlam\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/16659","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=16659"}],"version-history":[{"count":10,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/16659\/revisions"}],"predecessor-version":[{"id":16673,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/16659\/revisions\/16673"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/16668"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=16659"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=16659"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=16659"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}