Skip to content

FBI shuts down Qakbot malware tied to ransomware, financial fraud

Qakbot affected 200,000 U.S. computers

FBI Director Christopher Wray said in a statement that the malware affected banks, a contractor for critical infrastructure and a medical device manufacturer.
FBI Director Christopher Wray said in a statement that the malware affected banks, a contractor for critical infrastructure and a medical device manufacturer. (Tom Williams/CQ Roll Call file photo)

The Justice Department on Tuesday said the FBI led a multinational effort involving the authorities from France, Germany, the Netherlands, the United Kingdom, Romania and Latvia to take down criminal infrastructure, disabling malware known as Qakbot.

“The action represents the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals to commit ransomware, financial fraud, and other cyber-enabled criminal activity,” the Justice Department said in a statement.

The department said it had seized about $8.6 million in cryptocurrency that criminals had amassed from ransom payments by victims and the money would be returned to victims.

FBI Director Christopher Wray said in a separate statement that the malware touched on some of the areas security experts in Washington consider most sensitive. 

“The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast,” Wray said in a statement. He didn’t provide details on the infrastructure sector the contractor was involved in.

The White House in July issued an implementation plan to spell out how it would protect critical infrastructure such as water and power plants. The administration strategy calls for large public and private sector entities to take more responsibility to reduce risks, and it offers incentives for more investment in long-term cybersecurity.

The Qakbot malware was used to infect victims’ computers through spam email messages containing malicious attachments, the Justice Department said. Once clicked and activated, the malware installed ransomware, shutting down victims’ computers and leading the criminals to demand ransom payments to unlock them, the department said.

The FBI gained access to Qakbot infrastructure and identified more than 700,000 computers worldwide, including 200,000 in the United States, that were affected by the malware, the department said.

The malware was used by prolific criminal groups such as Conti, REvil and others that have been linked to attacks on U.S. hospitals, school systems, city governments, as well as similar victims in other countries around the world.