CarderPlanet
Professional
- Messages
- 2,552
- Reaction score
- 726
- Points
- 113
The largest operation of the FBI failed or did the attackers conduct a multi-pass operation?
Researchers at Cisco Talos report that the hackers behind the Qakbot botnet are now spreading ransomware.
Note that at the end of August, US law enforcement agencies eliminated Qakbot, one of the most productive and long — lived botnet networks, as part of an international operation called "Duck Hunt". Agencies in seven countries not only disabled the Qakbot infrastructure, but also removed malware from infected devices.
According to Cisco Talos specialists, despite disabling the Qakbot infrastructure, hackers managed to keep their distribution tools, which are now used to distribute variants of Cyclops / Ransom Knight ransomware, as well as the Remote Access Trojan (RAT) Remcos.
Notably, cybercriminal activity began in early August-before the FBI seized the Qakbot infrastructure in late August - and has continued ever since, indicating that the law enforcement operation may not have affected the Qakbot distribution infrastructure, but rather only the Command and Control Servers., C2).
The researchers point out that the names of the malicious files indicate that the ransomware is distributed using phishing emails — the same method that was used in previous Qakbot campaigns. Some file names are written in Italian, which leads experts to believe that active infections occur in Europe.
Experts warned that the threat from Qakbot remains relevant, since the developers were not arrested, and they may probably decide to restore the Qakbot infrastructure to fully resume their activities.
According to Cisco Talos, Ransom Knight is an updated version of the Cyclops ransomware, rewritten from scratch. The threat entity behind Cyclops announced the new variant in May 2023. Cisco Talos researchers do not believe that the Qakbot hackers developed new ransomware programs, but they are probably clients of the Raas service (Ransomware-as-a-Service, RaaS) offering Cyclops/Ransom Knight.
Researchers at Cisco Talos report that the hackers behind the Qakbot botnet are now spreading ransomware.
Note that at the end of August, US law enforcement agencies eliminated Qakbot, one of the most productive and long — lived botnet networks, as part of an international operation called "Duck Hunt". Agencies in seven countries not only disabled the Qakbot infrastructure, but also removed malware from infected devices.
According to Cisco Talos specialists, despite disabling the Qakbot infrastructure, hackers managed to keep their distribution tools, which are now used to distribute variants of Cyclops / Ransom Knight ransomware, as well as the Remote Access Trojan (RAT) Remcos.
Notably, cybercriminal activity began in early August-before the FBI seized the Qakbot infrastructure in late August - and has continued ever since, indicating that the law enforcement operation may not have affected the Qakbot distribution infrastructure, but rather only the Command and Control Servers., C2).
The researchers point out that the names of the malicious files indicate that the ransomware is distributed using phishing emails — the same method that was used in previous Qakbot campaigns. Some file names are written in Italian, which leads experts to believe that active infections occur in Europe.
Experts warned that the threat from Qakbot remains relevant, since the developers were not arrested, and they may probably decide to restore the Qakbot infrastructure to fully resume their activities.
According to Cisco Talos, Ransom Knight is an updated version of the Cyclops ransomware, rewritten from scratch. The threat entity behind Cyclops announced the new variant in May 2023. Cisco Talos researchers do not believe that the Qakbot hackers developed new ransomware programs, but they are probably clients of the Raas service (Ransomware-as-a-Service, RaaS) offering Cyclops/Ransom Knight.
