FBI neutralizes Hive, one of the big 5 ransomware gangs in the world.   

Attorney General Merrick Garland and other U.S. officials announced Thursday that the FBI and international partners have at least temporarily disrupted the network of a prolific ransomware gang they infiltrated last year, sparing victims like hospitals and school districts a potential $130 million in ransom payments.

At a press conference, deputy attorney general Lisa Monaco stated, “Put simply, we hack the hackers using legal means.”

According to officials, the targeted syndicate known as Hive is one of the top five ransomware networks in the world and has primarily targeted the healthcare industry. According to FBI Director Christopher Wray, the agency secretly gained access to its control panel in July and was able to obtain the software keys it needed to work with German and other partners to decrypt the networks of about 1,300 victims around the world.

It’s unclear how the takedown will impact Hive’s operations in the long run. No arrests were reported, but authorities said they were compiling a map of the administrators who control the program and the affiliates that infect targets and bargain with victims in order to pursue prosecutions.

The inquiry is still ongoing, so I believe everybody connected to Hive should be worried, Wray added.

FBI investigators seized the network’s supporting servers on Wednesday night in Los Angeles. Two Hive dark web sites were seized: one was used to negotiate extortion payments and the other to disseminate information about victims who weren’t paying.

Garland stated that although cybercrime is a threat that is continually changing, the Justice Department would use all available means to bring to justice anyone who targets the United States with a ransomware attack, no matter where they are located.

According to him, the FBI’s Tampa branch spearheaded the infiltration, which allowed agents to thwart a Hive attack against a Texas school district in one instance and prevent it from completing a $5 million payment.

For the Justice Department, it’s a significant victory. The largest problem with cybercrime is ransomware, which has crippled everything from the Costa Rican government to the British postal service and the national health network in Ireland. These syndicates speak Russian and are protected by the Kremlin.

The thieves seize important data, lock up or encrypt the victims’ networks, and demand significant sums of money. Data is now stolen before the ransomware is started and then essentially held prisoner as a result of their evolving form of extortion. Payment must be made in cryptocurrency to avoid being made public.

Garland used the 2021 COVID-19 epidemic’s peak in a Midwestern hospital’s inability to accept new patients as an example of a Hive sting.

The internet takedown notice mentions Europol and German law enforcement partners and alternates between English and Russian. According to prosecutors in Stuttgart, who were quoted by the German news agency DPA, cyber experts in Esslingen, a town in the southwest, were crucial in breaking into Hive’s illicit IT infrastructure when a local business was attacked.

In a statement, Europol said that Hive had infiltrated firms in more than 80 nations, including international oil giants, and that 13 different countries’ law enforcement agencies were involved.

According to a U.S. government report from the previous year, Hive ransomware attackers targeted over 1,300 businesses globally between June 2021 and November 2022, earning roughly $100 million in ransom payments. Criminals that used ransomware-as-a-service tools from Hive attacked a variety of industries and crucial infrastructure, particularly the government, manufacturing, and health care.

Although the FBI sent decryption keys to around 1,300 victims worldwide, Wray claimed that just 20% of them alerted authorities to potential problems.

Thankfully, we were still able to locate and assist numerous victims who didn’t report here. However, Wray noted, “that is not always the case. We can assist victims and others when they report attacks to us, says the victim.

Even if their networks have been rapidly restored, victims may pay ransoms covertly without alerting the police because they fear the consequences of having their data released online. One of the concerns is identity theft.

The Hive outage won’t significantly reduce overall ransomware activity, according to John Hultquist, head of threat intelligence at cybersecurity company Mandiant, but it is nevertheless “a blow to a dangerous organization.”

A Hive competitor will be ready to provide a comparable service in their absence due to the criminal marketplace at the core of the ransomware problem, although they might think twice before using their malware to attack hospitals, according to Hultquist.

However, expert Brett Callow with the cybersecurity company Emsisoft claimed that the operation is likely to decrease the confidence of ransomware criminals in what has hitherto been a very high reward-low risk industry. “The data gathered may identify associates, money-launderers, and other ransomware supply chain participants.”

Indictments, if not actual arrests, were predicted by Allan Liska of Recorded Future, a different cybersecurity company, for the upcoming few months.

In the global campaign against ransomware, there aren’t many encouraging signs, but here is one: According to Chainalysis’ study of bitcoin transactions, ransomware extortion payments decreased in 2017. At least $456.8 million in payments were monitored, a decrease from $765.6 million in 2021. Payments were obviously lower even though Chainalysis claimed that the genuine totals are unquestionably far higher. That might mean that more victims are avoiding paying.

Following a slew of high-profile attacks that put key infrastructure and international business at risk, the Biden administration began to take ransomware seriously at its highest levels two years ago. For instance, in May 2021 hackers targeted the largest fuel pipeline in the country, forcing its operators to briefly shut it down and pay a multimillion-dollar ransom, which the U.S. government ultimately recovered in significant part.

37 nations have joined a global task force that started working this week. Australia, which has been particularly hard hit by ransomware, including major medical insurance and telco companies, is leading the charge. Arrests and prosecutions, which are common law enforcement practices, haven’t done much to deter criminal activity. Using cyber-intelligence and police operatives to “identify these guys, chase them down, and incapacitate them before they can attack our country,” Australia’s interior minister, Clare O’Neil, declared in November that her government was going on the offensive.

The decryption keys had previously been made available to the FBI. In the case of a significant 2021 ransomware attack on Kaseya, a business whose software powers hundreds of websites, it did so. However, it received criticism for delaying assistance for victims to unlock compromised networks for several weeks.