Operation Duck Hunt: A cybersecurity milestone in ransomware takedown

• U.S. authorities cripple a ransomware network, seizing US$9M in cryptocurrency.
• The impact of Operation Duck Hunt will be felt by 700,000 victims.
• The FBI and international agencies collaborate to dismantle Qakbot, a ransomware threat to national cybersecurity and critical infrastructure.

In a landmark victory against cybercrime, the U.S. Justice Department recently revealed the significant takedown of a ransomware network, marking a pivotal moment in cybersecurity and the ongoing battle against cyberthreats. This operation highlights the intricate web of criminal activities and the extraordinary efforts required for law enforcement agencies to dismantle them.

The success of this operation also underscores the escalating threat of ransomware attacks in cybersecurity, which have increasingly targeted not just corporations, but critical infrastructure and public institutions. In an era where digital safety can influence national security, the takedown offers relief and a stern reminder of the dangers lurking in the cyber landscape.

Building on these concerns, the Justice Department has taken decisive action. As reported by Bloomberg, federal investigators have just dealt a devastating blow to one such ransomware operation, neutralizing a criminal network likely responsible for  hundreds of millions of dollars in damages.

International partnerships to take down the notorious network

Working in collaboration with its international counterparts, the FBI disrupted the Qakbot botnet—essentially a collection of malware-infected computers employed in executing these cyberattacks. Law enforcement is now in the process of deactivating the malware across thousands of affected computers.

Code-named “Operation Duck Hunt,” this initiative not only disabled the botnet but also confiscated nearly US$9 million in cryptocurrency – funds accrued from various ransomware activities.

According to official reports, Qakbot affected 700,000 victims, around 200,000 of which are based in the United States. The network’s attacks have significantly impacted small businesses, healthcare institutions, and various government agencies, including a defense manufacturing base in Maryland.

Known alternatively as Qbot or Pinkslipbot, Qakbot is a multi-faceted second-stage malware with a primary function of stealing credentials. The Cybersecurity and Infrastructure Security Agency (CISA) listed it as one of the most pervasive malware threats in 2021. It’s classified as a banking trojan, a worm, and a remote access trojan (RAT), capable of harvesting sensitive information and attempting to spread across other systems within the network.

Furthermore, Qakbot allows for remote code execution (RCE), thereby allowing attackers to manually infiltrate systems to accomplish additional nefarious objectives, like scanning the compromised network or initiating further ransomware attacks.

Affiliated with leading ransomware syndicates such as REvil, ProLock, and Lockbit, Qakbot distributes a variety of dangerous ransomware variants. It also automatically targets financial data, stored emails, system and website passwords, and browser cookies, while logging keystrokes to capture typed-in credentials.

First detected in 2008, Qakbot has been continually updated. After the release of revamped versions in 2015, its activity surged; in 2020, cybersecurity researchers recorded a 465% year-over-year spike in attacks following the launch of a new strain. In 2021, the malware played a role in a significant cyber-attack on JBS, causing interruptions in meat production and leading to an US$11 million ransom payment.

Qakbot employs a deceptively cunning strategy: it navigates through your email threads to send contextually relevant reply-all messages that appear to come from you. These emails typically include a brief message and a link, compelling recipients to open what they believe to be a legitimate attachment, thereby infecting their device.

Officials assert that the recent FBI operations have likely impaired these criminal operations. Botnets like Qakbot clandestinely assume control of computers and synchronize their malicious activities.

As part of “Operation Duck Hunt,” the FBI accessed and rerouted Qakbot’s operations to servers under U.S. control. This enabled them to inject a liberating program into the victim computers, effectively severing their connection to the malicious network.

Although the operation’s success has been partly attributed to the close collaboration with European investigators, no arrests have been made. A total of 52 servers were seized, and investigations are still ongoing. Officials are currently assessing the number of computers that have been freed from Qakbot’s influence.

Future-proofing against ransomware: What the Qakbot takedown means for cybersecurity strategy

Law enforcement officials stressed that besides the tremendous financial loss, national interests were also compromised, particularly as the attacks were aimed at essential infrastructures like hospitals.

FBI Director Christopher Wray commented on the success of the operation, stating, “Today’s success is yet another demonstration of how the FBI’s capabilities and strategy are hitting cybercriminals hard, and making the American people safer.”

Earlier this year, the FBI also neutralized an international ransomware group, Hive, taking control of its California-based servers after a year-long undercover operation.

In July 2022, FBI agents infiltrated Hive’s systems and executed what was described as a “21st-century high-tech cyber-stakeout,” collecting decryption keys and distributing them to affected parties.

The strategy employed in dismantling Qakbot aligns with a broader governmental approach aimed at disrupting cybercriminal operations and equipping victims with the necessary tools to counter malware attacks, officials said.

Kimberly Goody, a senior manager at cybersecurity firm Mandiant, noted that Qakbot had been operating for over a decade and had continually adapted. “Any impact to these operations is welcomed as it can cause fractures within the ecosystem and lead to disruptions that cause actors to forge other partnerships – even if it’s only temporary,” Goody stated.

---

---

---

---