Hacking the hackers: How the FBI and hacktivists infiltrated ransomware gang Hive and recovered millions
The FBI, along with their international partners and hacktivist groups took down a major network of a ransomware gang called Hive, which targeted hospitals and medical facilities across the world. The FBI also recovered over $130 million from the ransomware gang.
In a rather interesting FBI operation that would make a great Hollywood flick, the FBI’s cybersecurity division and a few international hacktivist groups came together to go after one of the most notorious ransomware gangs in the world, Hive, shut down a significant portion of their operations, and recovered about $130 million from them.
What makes the story even more interesting, however, is the way they went about doing it – by infiltrating the organisation and breaking it down from within.
Attorney General Merrick Garland and other US officials announced Thursday that the FBI and some of its international partners have at least temporarily disrupted the network of a prolific ransomware gang they infiltrated last year, sparing victims like hospitals and school districts a potential $130 million in ransom payments.
“Simply put, using lawful means we hacked the hackers,” Deputy Attorney General Lisa Monaco said at a news conference.
According to officials, the targeted syndicate, known as Hive, is one of the top five ransomware networks in the world and has mostly targeted the healthcare industry. According to FBI Director Christopher Wray, the agency secretly gained access to its control panel in July and was able to get the software keys it needed to work with German and other partners to decrypt the networks of about 1,300 victims throughout the world.
It’s unclear how the takedown will impact Hive’s operations in the long run. No arrests were made, but authorities said they were constructing a map of the administrators who control the programme and the affiliates that infect targets and deal with victims in order to pursue prosecutions.
“I think anyone involved with Hive should be concerned because this investigation is ongoing,” Wray said.
FBI investigators seized the network’s supporting servers on Wednesday night in Los Angeles. Two Hive dark web sites were seized: one was used to negotiate extortion payments and the other to disseminate information about victims who weren’t paying.
“Cybercrime is a constantly evolving threat, but as I have said before, the Justice Department will spare no resource to bring to justice anyone anywhere that targets the United States with a ransomware attack,” Garland said.
According to him, the FBI’s Tampa branch spearheaded the infiltration, which allowed agents to thwart a Hive assault against a Texas school system in one instance and prevent it from completing a $5 million payment.
The largest cybercrime threat today is ransomware, which has paralysed everything from the Costa Rican government to the national health network of Ireland and the United Kingdom thanks to Russian-speaking gangs with the protection of the Kremlin.
The thieves seize important data, lock up or encrypt the victims’ networks, and demand significant sums of money. Data is now stolen before the ransomware is started and then essentially held prisoner as a result of their evolving form of extortion. Payment must be made in bitcoin to avoid being made public.
Garland cited the 2021 COVID-19 pandemic as an example of a Hive sting that prevented one Midwestern hospital from taking new patients.
The internet takedown notice references Europol and German law enforcement partners and alternates between English and Russian. According to prosecutors in Stuttgart, who were reported by the German news agency DPA, cyber experts in Esslingen, a town in the southwest, were crucial in breaking into Hive’s illicit IT infrastructure when a local business was attacked.
In a statement, Europol said that Hive had infiltrated firms in more than 80 nations, including international oil giants, and that 13 different countries’ law enforcement agencies were involved.
According to a US government report from the previous year, Hive ransomware attackers targeted over 1,300 businesses globally between June 2021 and November 2022, earning roughly $100 million in ransom payments. Criminals that used ransomware-as-a-service tools from Hive attacked a variety of industries and crucial infrastructure, particularly the government, manufacturing, and health care.
Although the FBI sent decryption keys to around 1,300 victims worldwide, Wray claimed that just 20 per cent of them alerted authorities to possible problems.
“Here, fortunately, we were still able to identify and help many victims who didn’t report. But that is not always the case,” Wray said. “When victims report attacks to us, we can help them and others, too.”
Even if their networks have been rapidly restored, victims may pay ransoms covertly without alerting the police because they fear the consequences of having their data released online. One of the concerns is identity theft.
The Hive outage won’t significantly reduce overall ransomware activity, according to John Hultquist, head of threat intelligence at cybersecurity company Mandiant, but it is nevertheless “a blow to a dangerous organisation.”
“Unfortunately, the criminal marketplace at the heart of the ransomware problem ensures a Hive competitor will be standing by to offer a similar service in their absence, but they may think twice before allowing their ransomware to be used to target hospitals,” Hultquist said.
However, expert Brett Callow of the cybersecurity company Emsisoft claimed that the operation is likely to decrease the confidence of ransomware criminals in what has hitherto been a very high reward-low risk industry. “The data gathered may identify associates, money-launderers, and other ransomware supply chain participants.”
Indictments, if not actual arrests, were expected by Allan Liska of Recorded Future, a different cybersecurity company, over the upcoming few months.
In the global campaign against ransomware, there aren’t many encouraging signs, but here is one: According to Chainalysis’ study of bitcoin transactions, ransomware extortion payments decreased in 2017. At least $456.8 million in payments were monitored, a decrease from $765.6 million in 2021. Payments were obviously lower even though Chainalysis claimed that the genuine totals are unquestionably far higher. That may mean that more victims are avoiding paying.
Following a slew of high-profile assaults that put key infrastructure and international business at risk, the Biden administration began to take ransomware seriously at its highest levels two years ago. For instance, in May 2021, hackers targeted the largest gasoline pipeline in the country, forcing its operators to momentarily shut it down and pay a multimillion dollar ransom, which the US government ultimately recovered in significant part.
37 nations have joined a global task force that started working this week. Australia, which has been especially hard-hit by ransomware, including significant medical insurance and telco, is leading the charge. Arrests and prosecutions, which are common law enforcement practices, haven’t done much to deter criminal activity. Using cyber-intelligence and police operatives to “identify these guys, chase them down, and incapacitate them before they can harm our nation,” Australia’s interior minister, Clare O’Neil, declared in November that her government was going on the offensive.
The decryption keys had already been made available to the FBI. In the instance of a significant 2021 ransomware assault on Kaseya, a business whose software powers hundreds of websites, it did so. However, it received criticism for delaying assistance for victims to unlock compromised networks for several weeks.
Read all the Latest News, Trending News, Cricket News, Bollywood News, India News and Entertainment News here. Follow us on Facebook, Twitter and Instagram.
Musk’s 3,000 rocket designs may land on grey market for highest bidders as hackers attack SpaceX
LockBit, a prolific ransomware group claims to have hacked into SpaceX and have stolen 3,000 SpaceX rocket blueprints and is threatening to sell them to Elon Musk’s competitors, if their demands aren’t met.
Ferrari in a spin: Italian carmaker hit by cyberattack for ransom, client contact details exposed
Ferrari suffered from a cyberattack in which the contact details of its customers got leaked. They also faced a demand for a ransom, which, they refused to pay, stating that such demands fund criminal activity and allow threat actors to continue their attacks.