It was a first infection vector that could open the door to dangerous ransomware. The QakBot malware, also known under the names Qbot and Pinkslipbot, has just been dismantled this Saturday August 26 by the Los Angeles agency of the FBI, announced the American justice, at the end of an international operation which notably mobilized France.
After taking control of the malware infrastructure – we do not know the precise details – the American justice system redirected the traffic from the 700,000 infected computers to its own servers and launched a procedure to uninstall the malware. A maneuver, called “Duck Hunt” (duck hunt in French), which recalls in particular the operation carried out by the French gendarmerie and Avast against Retadup.
Used by ransomware cybercriminals
According to American justice, QakBot was used by gangs of infamous cybercriminals, such as Conti, ProLock, Egregor, REvil, MegaCortex or Black Basta. Over the past two years, QakBot would have allowed these criminals to collect $ 58 million in ransoms paid by victims. The federal office also seized more than $8.6 million (about 8 million euros) in cryptocurrencies, presumably the proceeds of ransoms. However, no arrest or identification of a suspect has been announced.
The malware was distributed via malicious attachments or links. It then made it possible to install other malware, such as ransomware or spyware targeting financial information or pairs of identifiers and passwords. Considered a “slower Emotet”, another botnet already in the sights of the police, this malware had been active since 2007, according to Europol.
Six servers identified in France
QakBot mainly targeted American users – 200,000 computers were located in the United States – but also French, with 26,000 infected workstations in France. The French police have also identified six malicious servers based in France, out of the 170 identified worldwide, while the Netherlands and Germany have counted 22 and 8 respectively.
The bloodhounds of the sub-directorate for the fight against cybercrime and the French gendarmerie had thus worked with the FBI, just like several European police forces, on the mapping of the criminal infrastructure. In addition to the Have I Been Pwned service, a site set up by the Dutch police, which has secured 7.6 billion stolen identifiers, allows you to know if your computer was infected.