FBI Pwns Qakbot Ransomware Network

The FBI has managed to take down the infamous Qakbot ransomware network. And this is no minor takedown by the feds:

The FBI and international partners disrupted the Qakbot botnet — a grouping of computers infected by a malware program that was used to carry out the cyberattacks — and are now working to disable the program on thousands of victim computers, law enforcement officials said.

Dubbed “Operation Duck Hunt,” the effort to take down the botnet system also seized nearly $9 million in cryptocurrency that was collected in criminal ransomware campaigns.

Qakbot’s victims totaled 700,000 across the globe in 2023, according to the Justice Department, with approximately 200,000 located in the U.S. Small businesses, healthcare providers and government agencies including a defense manufacturer base in Maryland were harmed by attacks linked to the network.


As part of “Operation Duck Hunt,” the FBI gained access to the QakBot infrastructure and “redirected” the cyberactivity to servers controlled by U.S. investigators, according to senior FBI and Justice Department officials. Investigators were then able to inject the malware with a program that released the victim computer from the botnet, freeing it of the malicious host.

Law enforcement officials said Tuesday they’re still trying to determine how many of the more than 700,000 computers infected this year were freed from Qakbot’s control and credited close partnership with European investigators for the operation’s success. No one has been arrested as a result of the international probe, but 52 servers were seized, and the investigation is ongoing.

Ken Westin, Field CISO, Panther Labs had this comment on the takedown:

It is interesting the FBI essentially deployed something that almost resembles “hacking back”  to redirect traffic to their servers and ran a script to uninstall the malware on remote systems. It is rare that law enforcement would deploy such measures as there are potential risks of executing commands on remote systems, however, the risk may have been minimal in this case given the threat posed by Qakbot to networks and critical infrastructure. It will be interesting to learn more about the legal case for when such activities can be taken to execute scripts on remote systems when dealing with malware and threats to national security.

In short, the FBI has pwned them. Ingenious. And I have to admit that I am impressed. Clearly even the bad guys are vulnerable to being pwned due to the fact that they didn’t take the proper measures to avoid being pwned. Just like their victims fail to sometimes do.

UPDATE: Dave Ratner, CEO, HYAS had this comment:

   “We applaud the FBI for taking control of the Qakbot malware command-and-control infrastructure; unfortunately, without any arrests, it’s likely that the criminals will setup new adversary infrastructure in the near future.  With dwell time being as little as 24 hours, these attacks highlight once again how critical it is for organizations to have immediate visibility into anomalous network traffic communicating with adversary infrastructure so that they can take control before ransomware impacts operational resiliency, as recommended by CISA and the NSA via Protective DNS solutions.”

Leave a Reply

%d bloggers like this: