Uncle Sam on Thursday unsealed criminal charges and a civil forfeiture case against a Russian national accused of leading the cybercrime ring behind Qakbot, the notorious malware that infected hundreds of thousands of computers worldwide and helped fuel ransomware attacks costing victims tens of millions of dollars.
A federal grand jury charged Rustam Rafailevich Gallyamov, 48, of Moscow, Russia, with one count of conspiracy to commit computer fraud and abuse, and one count of conspiracy to commit wire fraud.
The feds believe the suspected criminal mastermind is in Russia, so he’s not in US custody, nor has he been arrested. And unless he foolishly decides to leave the protection of the motherland — to take a European holiday, for example — it’s highly unlikely that we’ll see a perp walk anytime soon.
The way Qakbot (aka Qbot) works: First, its operators trick their victims into downloading and running the malware, usually via a phishing email with malicious files attached. Then the software nasty gets to work doing all sorts of evil deeds. It can be used to backdoor computers, load additional malware including ransomware onto infected machines, monitor keystrokes, and steal credentials and other sensitive information.
According to the newly unsealed indictment [PDF], Gallyamov developed, deployed, and controlled Qakbot beginning in 2008, and from 2019 onward, allegedly used the malware to infect computers around the world. Using this unauthorized access, Gallyamov and his coconspirators provided access to ransomware crews, who deployed strains including Prolock, Doppelpaymer, Egregor, REvil, Conti, Name Locker, Black Basta, and Cactus to extort victims.
Even in cases where the infections didn’t originate through Qakbot under Gallyamov’s direct control, ransomware operators allegedly paid him a cut of the illicit proceeds, according to the indictment.
A handful of the hundreds of thousands of victims, according to the court documents, include a Los Angeles dental office, tech firms in Nebraska and Pennsylvania, a Wisconsin manufacturer, a Canadian real estate company, a Wisconsin marketer, a Tennessee music company, a Colorado communications shop, and a Maryland insurance company.
700,000+ infected computers
Back in 2023, a multi-national law enforcement effort led by the FBI seized 52 servers in the US and abroad used to maintain the QBot network, along with more than $8.6 million in illicit cryptocurrency.
At the time, the feds said the botnet had infected more than 700,000 computers worldwide, including some 200,000 in America alone. In the 18 months leading up to the disruption efforts, about 40 ransomware infections via Qakbot have cost businesses and government agencies $58 million in losses, the FBI says.
During a press conference announcing the takedown, US Attorney Martin Estrada called the FBI-led Operation Duck Hunt “the most significant technological and financial operation ever led by the Department of Justice against a botnet,” and said the seizures would prevent “Qakbot from resurrecting to cause further additional harm.”
That turned out to be overly optimistic. Three months later, the botnet was back.
Shift to spam bombing
According to the indictment, after the 2023 disruption, Gallyamov and crew continued their criminal activities – but changed their tactics for compromising victims, turning to other methods such as “spam bomb attacks,” including some as recently as January. These involved flooding the victim’s inbox by auto-signing the victim up for a flood of email subscriptions.
“Defendant Gallyamov and coconspirators would launch targeted spam bomb attacks at employees of victim companies and then contact those employees, posing as information technology workers tasked with remediating the spam bomb attacks,” the court document details.
The crims would then trick the employees into running malicious code on their corporate computers, giving Gallyamov and his crew access to company machines and all the data therein, which they would then encrypt and often steal, demanding a ransom to decrypt the files or keep them from being leaked.
On April 25, after obtaining a warrant, the FBI seized additional illicit proceeds from Gallyamov, including more than 30 bitcoin and over $700,000 of USDT tokens.
Plus, the Justice Department today filed a civil forfeiture complaint [PDF] in the Central District of California against all the illicit proceeds seized from Gallyamov, said to be worth more than $24 million. The hope is that these funds will be returned to the victims.
The FBI-led investigation into Gallyamov included assistance from Germany’s Bundeskriminalamt (BKA), the Netherlands National Police, the French Police Cybercrime Central Bureau, and Europol. It’s part of the larger Operation Endgame, an ongoing effort among international law enforcement agencies aimed at dismantling and prosecuting cybercriminal organizations.
It also follows another major malware disruption effort announced on Wednesday, in which international cops working with Microsoft shut down infrastructure and seized web domains used to run a distribution service for Lumma stealer. ®