It was a first vector of infection that could open the door to dangerous ransomware. The QakBot malware, also known under the names Qbot and Pinkslipbot, has just been dismantled this Saturday, August 26 by the Los Angeles agency of the FBI, announced the American justice, at the end of an international operation which mobilized France in particular.
After taking control of the malware infrastructure – we don’t know the precise details -, the American justice system redirected the traffic of the 700,000 infected computers to its own servers and launched an uninstallation procedure for the malware. A maneuver, called “Duck Hunt” (duck hunt in French), which recalls in particular the operation carried out by the French gendarmerie and Avast against Retadup.
Used by ransomware cybercriminals
According to the American justice system, QakBot was used by infamous cybercriminal gangs, such as Conti, ProLock, Egregor, REvil, MegaCortex or Black Basta. Over the past two years, QakBot has allegedly allowed these criminals to collect $ 58 million in ransoms paid by victims. The federal bureau also seized more than 8.6 million dollars (about 8 million euros) in cryptocurrencies, presumably the proceeds of ransoms. However, no arrest or identification of a defendant has been announced.
The malware was spread via malicious attachments or links. It then made it possible to install other malware, such as ransomware or spyware targeting financial information or pairs of identifiers-passwords. Considered as a “slower Emotet”, another botnet already in the sights of the fonts, this malware had been active since 2007, according to Europol.
Six servers identified in France
QakBot mainly targeted American users – 200,000 computers were located in the United States – but also French, with 26,000 infected workstations in France. The French police have also identified six malicious servers based in France, out of the 170 identified worldwide, while the Netherlands and Germany have counted 22 and 8 respectively.
The bloodhounds of the sub-directorate for the fight against cybercrime and the French gendarmerie had thus worked with the FBI, as well as several European police forces, on the mapping of the criminal infrastructure. In addition to the Have I Been Pwned service, a site set up by the Dutch police, which has secured 7.6 billion stolen identifiers, makes it possible to find out if his computer was infected.