Washington — Federal investigators took down a criminal ransomware network that likely accounted for hundreds of millions of dollars in damage over the course of its existence, the Justice Department announced Tuesday. 

The FBI and international partners disrupted the Qakbot botnet — a grouping of computers infected by a malware program that was used to carry out the cyberattacks — and are now working to disable the program on thousands of victim computers, law enforcement officials said. 

Dubbed “Operation Duck Hunt,” the effort to take down the botnet system also seized nearly $9 million in cryptocurrency that was collected in criminal ransomware campaigns. 

Qakbot’s victims totaled 700,000 across the globe in 2023, according to the Justice Department, with approximately 200,000 located in the U.S. Small businesses, healthcare providers and government agencies including a defense manufacturer base in Maryland were harmed by attacks linked to the network. 

Investigators say Qakbot is a notorious and widely-used initial access broker that has been used by illicit actors across the globe to hold computer systems hostage until they’re paid off by victims. The botnet generally gains access to devices through spam emails that have malicious links embedded in the messages. 

Groups like Conti and REvil – the latter of which launched a cyber attack against American meat company JBS world’s largest meat processing company in 2021 — used Qakbot to gain access to infected computers and then used that access to wage ransomware campaigns. These criminal groups were likely affected by the recent FBI operation, officials said. 

Botnets like the one targeted by the FBI stealthily take control of a computer and work in a coordinated manner to perpetrate their alleged crimes, investigators said Tuesday. 

As part of “Operation Duck Hunt,” the FBI gained access to the QakBot infrastructure and “redirected” the cyberactivity to servers controlled by U.S. investigators, according to senior FBI and Justice Department officials. Investigators were then able to inject the malware with a program that released the victim computer from the botnet, freeing it of the malicious host. 

Law enforcement officials said Tuesday they’re still trying to determine how many of the more than 700,000 computers infected this year were freed from Qakbot’s control and credited close partnership with European investigators for the operation’s success. No one has been arrested as a result of the international probe, but 52 servers were seized, and the investigation is ongoing. 

Law enforcement officials emphasized that while hundreds of millions of dollars were likely lost because of attacks tied to Qakbot’s cyber campaigns, national interests were also at stake because the ransomware groups were targeting hospitals and critical infrastructure that are vital to national security. 

“Today’s success is yet another demonstration of how FBI’s capabilities and strategy are hitting cyber criminals hard, and making the American people safer,” FBI Director Christopher Wray said in a statement. 

Earlier this year, The FBI said it toppled an international ransomware group called Hive and seized its servers in California after more than a year of spying on the cybercriminals from inside their own network. 

In July 2022, FBI agents penetrated Hive’s computer networks and conducted what officials called a “21st-century high-tech cyber stakeout” by collecting decryption keys and distributing them to victims under the ransomware group’s control. 

The Qakbot takedown also represented an approach the government has been trying to foster — not just  disrupting criminal cyber networks, but also arming victims with the tools necessary to counter a  malware attack, law enforcement officials said Tuesday. 

“Qakbot is a longstanding operation spanning more than a decade that has adapted and evolved with the times…Any impact to these operations is welcomed as it can cause fractures within the ecosystem and lead to disruptions that cause actors to forge other partnerships – even if it’s only temporary,” Kimberly Goody, senior manager at  the cybersecurity firm Mandiant, said.