The U.S. Federal Bureau of Investigation (FBI) has seized the website of the Hive ransomware gang after penetrating the group’s computer networks — apparently in Calfornia.
The agency said Thursday it penetrated the networks in July, 2022, leading to the capture of decryption keys. Since then it has quietly offered those keys to 300 victims. In addition, the FBI distributed over 1,000 additional decryption keys to previous Hive victims.
Yesterday, in co-ordination with German law enforcement (the German Federal Criminal Police and Reutlingen Police Headquarters-CID Esslingen) and the Netherlands National High Tech Crime Unit, it seized control of the Hive website.
In making the announcement, the FBI thanked a number of polices forces, including the RCMP and Peel Regional Police in Ontario.
Related content: Hive takes responsibility for Bell attack
“Last night the Justice Department dismantled an international ransomware network responsible for extorting and attempting to extort hundreds of millions of dollars from victims in the United States and around the world,” U.S. Attorney General Merrick Garland said in a statement this morning.
“Cybercrime is a constantly evolving threat. But as I have said before, the Justice Department will spare no resource to identify and bring to justice anyone, anywhere, who targets the United States with a ransomware attack. We will continue to work both to prevent these attacks and to provide support to victims who have been targeted. And together with our international partners, we will continue to disrupt the criminal networks that deploy these attacks.”
Since June 2021, the Hive ransomware group has targeted more than 1,500 victims around the world and received over US$100 million in ransom payments.
“It’s somewhat surprising that the group housed their server resources in-country in Los Angeles.” said Kurt Baumgartner, principal researcher at Kaspersky. “Apparently they thought everything was secured and hidden by the Tor network. Law enforcement put on display some impressive capabilities in infiltrating, seizing, and disrupting some of the gang’s resources.”
Law enforcement is certainly having more success at disrupting ransomware operations, probably because more resources are being allocated to their efforts, said Brett Callow, British Columbia-based threat analyst for Emisisoft. “While individual disruptions may not have a significant impact on the overall landscape, collectively they do, with the intel that is gathered being used to target individuals and other components of the ransomware supply chain.”
The disruption of the Hive service won’t cause a serious drop in overall ransomware activity, said John Hultquist, head of Mandiant threat intelligence, but it is a blow to a dangerous group that has endangered lives by attacking the healthcare system. “Unfortunately, the criminal marketplace at the heart of the ransomware problem ensures a Hive competitor will be standing by to offer a similar service in their absence, but they may think twice before allowing their ransomware to be used to target hospitals.
“Actions like this add friction to ransomware operations,” he said. “Hive may have to regroup, retool, and even rebrand. When arrests aren’t possible, we’ll have to focus on tactical solutions and better defense. Until we can address the Russian safehaven and the resilient cybercrime marketplace, this will have to be our focus.”
Hive is one of the most active ransomware operations around – perhaps the most active – and was responsible for at least 11 of the incidents involving US governments, schools and healthcare providers in 2022. Hive ransomware attacks have caused major disruptions in victims’ daily operations around the world and affected responses to the COVID-19 pandemic, said the FBI. In one case, a hospital attacked by Hive ransomware had to resort to analog methods to treat existing patients and was unable to accept new patients immediately following the attack.
According to a background paper on the group by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Hive’s affiliates often get initial access to victim networks by using single factor logins via Windows Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols.
In some cases, Hive actors bypassed multifactor authentication and gained access to Fortinet FortiOS servers by exploiting a known and unpatched vulnerability, CVE-2020-12812. This vulnerability enables a malicious cyber actor to log in without a prompt for the user’s second authentication factor (FortiToken) when the actor changes the case of the username.
Hive actors have also gained initial access to victim networks by distributing phishing emails with malicious attachments.
Separately, today Cyberint released a report on ransomware trends in 2022. Among the conclusions:
The U.S. is still the most targeted area of the world, with 1060 victims, a decline of almost 300 victims since last year, followed by the UK, Canada, and Germany.
While Q2 and Q3 saw major drops in ransomware activity (with 708 and 666 incidents, respectively, down from 763 in Q1), Q4 saw a slight rise to 672. Cyberint analysts describe the Q4 increase as indicative of the new and promising groups established in Q3 and Q4, such as Royal and BlackBasta, gaining ground.
LockBit 3.0’s rise to power and gaining notoriety without the use of Twitter for “PR” like other groups have increasingly done.
Talent for hire in the ransomware world is changing the game: Lockbit’s ‘Bug Bounty Program,’ which demonstrated the group’s arrogance and strength, offered rewards for anyone who found vulnerabilities in their servers.
The rise of Royal in the last months of 2022 saw them achieve a victim count rate already higher than LockBit’s, suggesting competition between the two can be expected in 2023.
This story was updated with comments from Emsisoft, Mandiant, and additional information from Kaspersky.