FBI dismantles Qakbot malware targeting hospitals

The agency said as part of the international cyber takedown it gained lawful access to Qakbot’s infrastructure and identified more than 700,000 infected computers worldwide, including more than 200,000 in the US. 
By Andrea Fox
10:13 AM

Photo: Chip Somodevilla/Getty Images

WHY IT MATTERS

Using command-and-control infrastructure to carry out attacks globally, Qakbot enabled the most prolific ransomware groups to cause losses in the hundreds of millions, said FBI Director Christopher Wray in an announcement August 29.

The FBI's national headquarters and Los Angeles field office, supported by a network of international partners, were able to infiltrate servers and redirect traffic to their own servers, and then uninstall the malware, he said.

"This is the first time we've deployed this innovative technique, severing thousands of computers from the botnet and restoring control back to the victims," said Wray in a video posted with the announcement.

Numerous cybercriminal groups have used the Qakbot infrastructure to attack organizations, including financial institutions, critical infrastructure contractors and a medical device manufacturer on the West Coast. 

"Last year cyber crooks used this botnet to steal gigabytes of private information from a healthcare provider and later leaked that information on the dark web," he said.

The FBI director also noted that the defensive action against one of the longest-running cybercriminal botnets seized millions in cryptocurrency, totaling $8.6 million in extorted funds.

THE LARGER TREND

In January, the FBI announced it gained access to the Hive ransomware group's computer networks, captured its decryption keys and offered them to victims worldwide. It also seized the group's websites and communications channels in an effort to disrupt its activity.

Cybercrime organizations like Hive have an aggressive appetite for targeting healthcare organizations. In some cases, healthcare organizations are cyberterrorism targets. That fact caused the American Hospital Association and other organizations to call for greater federal support, as well as offensive actions by the government to prevent healthcare cyberattacks that the group considers essentially acts of war.

John Riggi, AHA national advisor for cybersecurity and risk – and, formerly, a longtime FBI agent – is scheduled to deliver the keynote address this Thursday at the HIMSS Cybersecurity Forum in Boston.

Riggi told Healthcare IT News that there is significant investment and focus on offensive and defensive use of artificial intelligence to strengthen cybercrime response capabilities. 

Qakbot, commonly used in phishing attacks targeting healthcare organizations, is easily weaponized with AI tools like GPT-4.

ON THE RECORD

"With our federal and international partners, we will continue to systematically target every part of cybercriminal organizations, their facilitators, and their money – including by disrupting and dismantling their ability to use illicit infrastructure to attack us," said FBI Director Wray in a statement.

Riggi's opening keynote, "The Global Cyber Threat Landscape: Healthcare Risk, Impact and Response," is scheduled for 8:40 a.m. on Thursday, Sept. 7, at the HIMSS Healthcare Cybersecurity Forum in Boston.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.