The Justice Department announced this week that FBI agents successfully interrupted Hive, a notorious ransomware group, and prevented $130 million in ransom campaigns that targets no longer had to consider paying. While the Hive group claims to have been responsible for attacking more than 1,500 victims in more than 80 countries around the world, the department now reveals it had been infiltrating the group’s network for months before attacking German and Dutch this week. officials worked together to shut down Hive servers and websites.
“Simply put, by lawful means we hacked the hackers,” Deputy Attorney General Lisa Monaco said. remarked at a press conference.
The FBI claims that by covertly hacking into Hive servers, it was able to quietly obtain more than 300 decryption keys and return them to victims whose data had been locked away by the group. U.S. Attorney General Merrick Garland said in his statement that in recent months the FBI used those decryption keys to unlock a Texas school district that had been ordered to pay a $5 million ransom, a Louisiana hospital that had been asked for $3 million, and an unnamed food supply. company that was waiting for a ransom of $10 million.
“We turned the tables on Hive and broke their business model,” said Monaco. Hive was considered a top-five ransomware threat by the FBI. As of June 2021, Hive has received more than $100 million in ransom money from its victims, according to the Justice Department.
Hive’s “ransomware-as-a-service (RaaS)” model is to create and sell ransomware, then recruit “affiliates” to go out and deploy it, with Hive admins taking 20 percent of the proceeds and publish stolen data on a “HiveLeaks” site if someone refused to pay. According to the US Cybersecurity and Infrastructure Security Agency (CISA), the member companies use methods such as email phishing, exploiting FortiToken authentication vulnerabilities, and accessing corporate VPNs and remote desktops (using RDP) that are only protected with single- factor logins.
A November CISA alert explains how the attacks target companies and organizations that have their own Microsoft Exchange servers. The code provided to their partners uses known exploits such as CVE-2021-31207which, despite being patched since 2021, often remain vulnerable if proper measures have not been applied.
Once in, their pattern is to use the organization’s own network management protocols to shut down security software, delete logs, encrypt the data, and of course, leave a HOW_TO_DECRYPT.txt ransom note in encrypted folders that links victims to a live chat panel to negotiate ransom demands.
“If a victim steps forward, it can make all the difference”
Hive is the largest ransomware group the FBI has brought down since REvil in 2021 – which was responsible for leaking MacBook schematics from an Apple supplier and the world’s largest meat supplier. And earlier that year, groups like DarkSide successfully walked away with a $4.4 million payout after breaking into Colonial Pipeline’s systems in an incident that caused national gas prices to skyrocket. However, the most expensive ransomware attack disclosed is the insurance company CNA Financial, which ended up paying hackers $40 million.
The FBI found more than 1,000 encryption keys associated with previous victims of the group during the Hive stakeout, and FBI Director Christopher Wray noted that only 20 percent of detected victims contacted the FBI for help. Many victims of ransomware attacks do not contact the FBI for fear of repercussions from the hackers and scrutiny in their industry for not securing themselves.
However, as hackers get their paycheck, it fuels the ransomware industry to keep going. The FBI hopes it can convince more victims to come forward and cooperate with them rather than give in to demands. “When a victim steps forward, it can make all the difference in recovering stolen funds or obtaining decryptor keys,” said Monaco.