The Los Angeles dental office was among the victims of the Qakbot malware, a sophisticated cybercriminal operation led by Rustam Gallyamov. Qakbot, active since 2008, infected over 700,000 computers globally before its disruption in 2023. The malware served as an initial access broker for high-profile ransomware gangs like Conti, REvil, Black Basta, and Dopplepaymer, enabling them to deploy ransomware on compromised systems. The dental office likely faced operational disruptions, data encryption, and potential financial extortion, as Qakbot’s operators handed victim access to ransomware affiliates in exchange for a share of ransom payments. The attack may have resulted in sensitive patient data exposure, financial losses from downtime, and reputational damage, especially if patient records (e.g., medical histories, payment details) were encrypted or stolen. The FBI’s investigation, involving international partners, seized over $24 million linked to Gallyamov, highlighting the scale of the operation’s financial impact on victims, including healthcare providers like this dental practice.
Source: https://therecord.media/doj-charges-man-allegedly-behind-qakbot-malware
TPRM report: https://www.rankiteo.com/company/california-dental-group
"id": "cal3731437112625",
"linkid": "california-dental-group",
"type": "Ransomware",
"date": "6/2008",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'dental services',
'location': 'Los Angeles, USA',
'name': 'Los Angeles dental office',
'type': 'healthcare'},
{'industry': 'technology',
'location': 'Nebraska, USA',
'name': 'Technology company (Nebraska)',
'type': 'private'},
{'industry': 'manufacturing',
'location': 'Wisconsin, USA',
'name': 'Manufacturer (Wisconsin)',
'type': 'private'},
{'industry': 'real estate',
'location': 'Canada',
'name': 'Canadian real estate company',
'type': 'private'}],
'attack_vector': ['malware distribution',
'spam bomb attacks',
'botnet infrastructure'],
'date_publicly_disclosed': '2024-05-30',
'date_resolved': '2023-08-01',
'description': 'The U.S. Justice Department indicted Rustam Gallyamov, the '
'alleged leader of the cybercriminal gang behind the Qakbot '
'malware, which infected over 700,000 computers and was used '
'by high-profile ransomware gangs like Conti, REvil, Black '
'Basta, and Dopplepaymer. A multinational operation in August '
'2023 disrupted the botnet, deleting its code from infected '
'devices. Gallyamov allegedly provided access to victims’ '
'devices to co-conspirators in exchange for a portion of '
"ransom payments. Post-takedown, his group shifted to 'spam "
"bomb' attacks. The DOJ also seized over $24 million linked to "
'Gallyamov and unsealed charges against 16 individuals for '
'deploying DanaBot malware, which infected 300,000+ devices '
'and caused $50 million in damages.',
'impact': {'brand_reputation_impact': 'high (for affected organizations)',
'financial_loss': '$50 million (DanaBot) + unspecified (Qakbot)',
'legal_liabilities': '$24 million seized in civil forfeiture',
'operational_impact': 'significant (botnet disruption, spam bomb '
'attacks)',
'systems_affected': '700,000+ (Qakbot) + 300,000+ (DanaBot)'},
'initial_access_broker': {'backdoors_established': True,
'entry_point': ['malware distribution (Qakbot)',
'spam bomb attacks (post-takedown)'],
'high_value_targets': ['dental offices',
'technology companies',
'manufacturers',
'real estate firms']},
'investigation_status': 'ongoing (indictments unsealed, civil forfeiture in '
'progress)',
'lessons_learned': 'Multinational cooperation is critical for disrupting '
'large-scale cybercriminal operations. Threat actors adapt '
'tactics post-takedown (e.g., shifting to spam bomb '
'attacks). Financial tracking and asset seizure are key '
'components of dismantling cybercriminal enterprises.',
'motivation': 'financial gain',
'post_incident_analysis': {'corrective_actions': ['Multinational botnet '
'takedown operations',
'Asset seizure to disrupt '
'financial gains',
'Public indictments to '
'deter cybercriminal '
'activity'],
'root_causes': ['Proliferation of '
'malware-as-a-service (Qakbot) '
'enabling ransomware attacks',
'Lack of early detection for '
'botnet infections',
'Financial incentives for threat '
'actors to collaborate '
'(revenue-sharing model)']},
'ransomware': {'data_encryption': True,
'ransomware_strain': ['Conti',
'REvil',
'Black Basta',
'Dopplepaymer']},
'recommendations': ['Enhance international law enforcement collaboration for '
'cybercrime investigations.',
'Monitor for secondary attack vectors (e.g., spam bombs) '
'following botnet disruptions.',
'Implement proactive threat hunting for malware like '
'Qakbot and DanaBot.',
'Strengthen endpoint detection and response (EDR) '
'capabilities to prevent initial access.'],
'references': [{'date_accessed': '2024-05-30',
'source': 'U.S. Department of Justice',
'url': 'https://www.justice.gov'},
{'date_accessed': '2024-05-30',
'source': 'FBI Press Release',
'url': 'https://www.fbi.gov'}],
'regulatory_compliance': {'fines_imposed': '$24 million (civil forfeiture)',
'legal_actions': ['indictment of Rustam Gallyamov',
'criminal complaint against 16 '
'DanaBot operators']},
'response': {'communication_strategy': ['public indictment announcement',
'press releases'],
'containment_measures': ['botnet takedown',
'code deletion from infected devices',
'seizure of $24 million'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'third_party_assistance': ['France',
'Germany',
'Netherlands',
'United Kingdom',
'Romania',
'Latvia']},
'threat_actor': {'affiliation': 'Qakbot cybercriminal gang',
'age': 48,
'name': 'Rustam Gallyamov',
'nationality': 'Russian'},
'title': 'Indictment of Alleged Qakbot Malware Leader and Takedown of Botnet',
'type': ['malware', 'botnet', 'ransomware facilitation']}