Full Report
The alleged leader of the cybercriminal gang behind the Qakbot malware, which was used by many high-profile ransomware gangs, has been indicted by the U.S. Justice Department.
Analysis Summary
# Threat Actor: Rustam Gallyamov (Qakbot Alleged Leader)
## Attribution & Identity
* **Identified Individual:** Rustam Gallyamov, a 48-year-old Russian national.
* **Role:** Alleged creator and leader of the cybercriminal gang behind the Qakbot malware.
* **Associated Groups:** The group operating the Qakbot botnet ecosystem. The malware was utilized by numerous high-profile ransomware gangs, including Conti, REvil, Black Basta, and Dopplepaymer.
## Activity Summary
* Gallyamov allegedly created the Qakbot software in 2008.
* The Qakbot botnet infected over 700,000 computers prior to its disruption in August 2023.
* Gallyamov’s primary function was to sell or lease access to compromised victim devices to co-conspirators (ransomware gangs) who would then deploy ransomware. He received a portion of the collected ransom funds.
* Following the international takedown, Gallyamov's group allegedly pivoted to launching "spam bomb" attacks aimed at tricking employees into granting network access.
## Tactics, Techniques & Procedures
* Initial access via deployment of the Qakbot malware onto victim machines (serving as a primary infection vector for ransomware).
* Monetization through selling access to infected devices to ransomware operators.
* Post-takedown TTP: Launching "spam bomb" attacks targeting employees to gain initial network access.
## Targeting
* **Sectors:** Financial (implied by ransomware affiliation), healthcare (dental office), technology, manufacturing, and real estate.
* **Geography:** Global scale (700,000+ infected computers worldwide). Specific victim locations mentioned include: Los Angeles (USA), Nebraska (USA), Wisconsin (USA), and Canada.
* **Victims:** A Los Angeles dental office, a technology company in Nebraska, a manufacturer in Wisconsin, and a Canadian real estate company are specifically cited.
## Tools & Infrastructure
* **Malware families used:** Qakbot (primary tool). The article also mentions a separate indictment regarding the DanaBot malware, suggesting interconnected criminal ecosystems, though Gallyamov is specifically tied to Qakbot.
* **Infrastructure (C2, domains, IPs):** Not explicitly detailed in the summary, focus centers on the botnet operation itself.
## Implications
The indictment and takedown of the Qakbot infrastructure represent a significant blow to the broader ransomware ecosystem, as Qakbot served as a critical initial access broker for major financially motivated groups. The alleged pivot to spam bombing suggests ongoing resilience and adaptation by the actors involved.
## Mitigations
* Focus on security measures to counter large-scale phishing/spam campaigns ("spam bombs") to prevent initial network infiltration.
* Robust endpoint detection and response to identify and eliminate malware like Qakbot before it can establish persistence or be leveraged for secondary payloads (like ransomware).
* Monitoring for indicators related to known ransomware affiliates who previously utilized Qakbot access.