FBI takes down Hive ransomware network


The Department of Justice announced this week that FBI agents successfully disrupted Hive, a notorious ransomware group, and prevented $130 million worth of ransom campaigns that targets no longer need to consider paying. While claiming the Hive group has been responsible for targeting over 1,500 victims in over 80 countries worldwide, the department now reveals it had infiltrated the group’s network for months before working with German and Netherlands officials to shut down Hive servers and websites this week.

“Simply put, using lawful means, we hacked the hackers,” Deputy Attorney General Lisa Monaco remarked during a press conference.

The FBI claims that by covertly hacking into Hive servers, it was able to quietly snatch up over 300 decryption keys and pass them back to victims whose data was locked up by the group. US Attorney General Merrick Garland said in his statement that in the last few months, the FBI used those decryption keys to unlock a Texas school district facing a $5 million ransom, a Louisiana hospital that had been asked for $3 million, and an unnamed food services company that faced a $10 million ransom.

“We turned the tables on Hive and busted their business model,” Monaco said. Hive had been considered a top-five ransomware threat by the FBI. According to the Justice Department, Hive has received over $100 million in ransom payments from its victims since June 2021.

Hive’s “ransomware-as-a-service (RaaS)” model is to make and sell ransomware, then recruit “affiliates” to go out and deploy it, with Hive administrators taking a 20 percent cut of any proceeds and publishing stolen data on a “HiveLeaks” site if someone refused to pay. The affiliates, according to the US Cybersecurity and Infrastructure Security Agency (CISA), use methods like email phishing, exploiting FortiToken authentication vulnerabilities, and gaining access to company VPNs and remote desktops (using RDP) that are only protected with single-factor logins.

A CISA alert from November explains how the attacks target businesses and organizations running their own Microsoft Exchange servers. The code provided to their affiliates takes advantage of known exploits like CVE-2021-31207, which, despite being patched since 2021, often remain vulnerable if the appropriate mitigations haven’t been applied.

Once they’re in, their pattern is to use the organization’s own network management protocols to shut down any security software, delete logs, encrypt the data, and, of course, leave behind a HOW_TO_DECRYPT.txt ransom note in encrypted directories that connects victims to a live chat panel to negotiate over ransom demands.

“When a victim steps forward, it can make all the difference”

Hive is the biggest ransomware group the feds have taken down since REvil in 2021 — which was responsible for leaking MacBook schematics from an Apple supplier as well as the world’s largest meat supplier. And earlier that year, groups like DarkSide successfully walked away with a $4.4 million payout after penetrating Colonial Pipeline’s systems in an incident that caused national gas prices to skyrocket. The most expensive ransomware attack to be publicized, however, is insurance company CNA Financial, which ended up paying hackers $40 million.

The FBI, during its stakeout of Hive, found more than 1,000 encryption keys tied to previous victims of the group, and FBI Director Christopher Wray noted that only 20 percent of detected victims reached out to the FBI for help. Many victims of ransomware attacks refrain from contacting the FBI for fear of repercussions from the hackers and scrutiny in their industries for failing to secure themselves.

Since hackers are getting their paydays, however, it’s giving the ransomware industry fuel to keep going at it. The FBI hopes it can convince more victims to come forward and work with them instead of buckling to the demands. “When a victim steps forward, it can make all the difference in recovering stolen funds or obtaining decryptor keys,” Monaco said.

#FBI #takes #Hive #ransomware #network


Related Posts

Marvel’s Blade Movie Delayed by Writer’s Strike

[ad_1] Marvel’s vampire hunter Blade is a fierce warrior but he may have finally met his match: labor unions. The upcoming, long-in-development reboot of the Marvel franchise…

How to Watch the Coronation of King Charles III Live

[ad_1] King Charles III officially shed his princedom when Queen Elizabeth II died, and the British royal’s new position will be formalized on May 6 in a coronation…

‘Quordle’ today: See each ‘Quordle’ answer and hints for May 6

[ad_1] If Quordle is a little too challenging today, you’ve come to the right place for hints. There aren’t just hints here, but the whole Quordle solution….

How to use a passkey instead of a password to sign into your Google account

[ad_1] Passwords have always been a necessary evil, giving you the choice of either using one that is too simple (so you can easily remember it) or…

Amazon quietly acquired audio content discovery engine Snackable AI to boost its podcast projects

[ad_1] Amazon quietly acquired New York-based audio content discovery engine Snackable AI last December to boost its podcast features, as first reported by New York Post. The…

Warhammer 40K’s New Tyranid Screamer-Killer Is a Great Update

[ad_1] A new edition of Warhammer 40K means new models—and for some of the 40-year-old wargaming franchise’s creatures and characters, that means updates they’ve not had in…

Leave a Reply

Your email address will not be published. Required fields are marked *