This Monday, the Department of Justice stated that FBI agents had successfully halted the operations of the renowned ransomware gang Hive, saving potential victims $130 million in ransom payments. While the department previously claimed that the Hive group was responsible for attacking over 1,500 people in over 80 countries, it was only this week that it revealed that it had infiltrated the group’s network for months before working with German and Dutch officials to shut down Hive servers and websites.
“Simply put, through legitimate means, we hacked the hackers,” Deputy Attorney General Lisa Monaco said during a press briefing.
The FBI claims it was able to stealthily break into Hive servers and retrieve over 300 decryption keys, which it then distributed to individuals whose data had been encrypted by the organisation. According to US Attorney General Merrick Garland’s statement, the FBI has used these decryption keys to free a Texas school district that was threatened with a $5 million ransom, a hospital in Louisiana that was asked for $3 million, and an unnamed food services company that was threatened with a $10 million ransom in recent months.
Ultimately, “we turned the tables on Hive and broke their business model,” as Monaco put it. The FBI has previously ranked Hive as a top-5 ransomware threat. Since June 2021, victims have paid Hive over $100 million in ransom, according to the Justice Department.
Hive’s “ransomware-as-a-service (RaaS)” business include creating and selling ransomware, as well as recruiting “affiliates” to go out and instal it, with Hive admins receiving a 20% cut of any earnings and exposing stolen data on a site called “HiveLeaks” if a victim refuses to pay the ransom. Email phishing, exploiting FortiToken authentication vulnerabilities, and gaining access to company VPNs and remote desktops (using RDP) that are only protected with single-factor logins are some of the methods the affiliates use, according to the US Cybersecurity and Infrastructure Security Agency (CISA).
CISA issued a notice in November detailing how these attacks are aimed at companies and organisations who host their own Microsoft Exchange servers. The code they give out exploits known flaws like CVE-2021-31207, which have been patched since then but can still cause problems if the proper safeguards haven’t been put in place.
Infiltrators typically disable security software, remove logs, encrypt data, and send victims to a live chat panel in order to negotiate ransom demands after using the organization’s own network administration protocols to do so.
“Coming forward from a victim can make a huge impact”
The US government has taken down the greatest ransomware gang since REvil in 2021, when they stopped the release of MacBook schematics from an Apple source and the world’s largest beef supplier. Also in that year, gangs like DarkSide stole $4.4 million from Colonial Pipeline after hacking into their systems and causing nationwide gas prices to spike. But CNA Financial paid $40 million to hackers after suffering the most notorious ransomware assault.
During its stakeout at Hive, the FBI discovered over a thousand encryption keys linked to past victims of the group, yet only 20% of those victims contacted the FBI for assistance, as revealed by FBI Director Christopher Wray. Fearing retaliation from the hackers and criticism from their industry for failing to safeguard themselves, many victims of ransomware incidents hesitate from alerting the FBI.
On the other hand, the fact that hackers are being paid off is providing gasoline for the ransomware industry. The FBI has high expectations that more victims would cooperate with them rather than give in to the demands being made of them. An individual victim’s cooperation “may make all the difference” in recouping stolen cash or getting decryptor keys, as stated by Monaco.
Subtly charming pop culture geek. Amateur analyst. Freelance tv buff. Coffee lover