The FBI announced in November that since June 2021, this ransomware operation had stolen almost $100 million from more than 1,500 businesses. For information that could assist in tying the Hive ransomware organization (or other threat actors) with the international organization, the U.S. Department of State is now offering up to $10 million. A specialized profession that can make anyone a cyber-shakedown artist. Hive was a “ransomware as a service” (RaaS) company, leasing its software and tactics to extort targets.
In the ransomware ecosystem, actors specialize in optimizing efficiency. “For information regarding the identity or whereabouts of any person engaging in malicious cyber activity against U.S. critical infrastructure while operating at the behest of a foreign government in violation of the Computer Fraud and Abuse Act.”
The State Department additionally provided rewards of up to $15 million over the last two years for information leading to the capture of members of the Conti, REvil (Sodinokibi), and Darkside ransomware operations. The Transnational Organized Crime Awards Program (TOCRP), through which the State Department has disbursed over $135 million in rewards since 1986, offers these rewards.
FBI disrupts the Dark Web site of the Hive ransomware group.
— Rewards for Justice (@RFJ_USA) January 26, 2023
If you have information that links Hive or any other malicious cyber actors targeting U.S. critical infrastructure to a foreign government, send us your tip via our Tor tip line. You could be eligible for a reward. https://t.co/7Bqz0DUSCf pic.twitter.com/n8U3TNC7lh
Decryption Keys Provided To Hive Victims
This offer follows the seizure of the Tor websites used by the Hive ransomware today as part of a global law enforcement operation. The FBI discreetly observed the operation for six months after infiltrating Hive computers at a hosting company in California last July, according to information released by the Justice Department (Dutch police gained access to backup servers hosted in the Netherlands).
As a result, the FBI was able to provide over 1,300 decryption keys to Hive victims and alert targets about impending assaults as soon as it knew about them, sparing the victims at least $130 million in ransom payments. According to the statement, the victims included hospitals, educational systems, financial institutions, and vital infrastructure.
The FBI also found information on 250 Hive affiliates, malware file hashes, decryption keys, and Hive communication logs. The ransomware gang now has an animated seizure banner notifying other ransomware gangs of this coordinated effort and listing the law enforcement agencies and nations involved in this global takedown operation on its Tor payment and data leak sites.
“This secret location has been taken. This website was taken down by the Federal Bureau of Investigation as part of a concerted law enforcement operation against Hive Ransomware “It says on the seizure notice.
“This action has been taken in collaboration with the Department of Justice’s Computer Crime and Intellectual Property Section and the United States Attorney’s Office for the Middle District of Florida with significant support from Europol.”
Previous Crackdown On Hive
The ransomware-as-a-service provider Hive previously targeted a variety of sectors and vital infrastructure, with a concentration on healthcare and public health organizations. In August 2021, the gang named Memorial Health System in Illinois its first medical field victim. Empress EMS in New York and Costa Rica’s public health service were the next two. In October, Hive also targeted Tata Power, a leading provider of electricity in India.
Garland continued by stating that the FBI has also started dismantling Hive’s front- and back-end infrastructure domestically and internationally, including the seizure of two of Hive’s back-end servers in Los Angeles. No arrests or indictments were made during the news briefing, and the FBI did not disclose how it discovered the Hive servers.
Conclusion
The FBI announced in November that since June 2021, this ransomware operation had stolen almost $100 million from more than 1,500 businesses. For information that could assist in tying the Hive ransomware organization (or other threat actors) with the international organization, the U.S. Department of State is now offering up to $10 million. “Send us any information or tip via our Tor tip line if you know anything that connects Hive or any other hostile cyber actors attacking U.S. critical infrastructure to a foreign government. You might be qualified to get a reward, “According to the Rewards for Justice Twitter account of the State Department.
“It’s a significant achievement by various law enforcement agencies including ones in the UK, US, and EU today in taking down the Hive ransomware gang. It will have immediate effect from a cyber security perspective, with Hive’s network compromising more than 1,500 companies in over 80 countries and this dismantling saving these victims from paying over $130 million in ransom. It’s important to remember that this kind of activity has happened before, but the success has been short lived as the infrastructure and assets have popped back up elsewhere. Even cyber criminals understand the need for good backup and recovery.
“It’s important that governments and agencies are increasingly collaborating on cyber, in this case from 13 different nations, whether it’s coordinated activity against threat actors or the sharing of national assets, intelligence, and strategies. We expect initiatives like this to only grow stronger between allied cyber powers to ensure that governments, organisations, and citizens will be better protected.”
“Data Privacy Day provides a yearly reminder that data privacy and data security are inextricably linked. Even as laws around the world increasingly recognize the rights of individuals to control how information about them is collected, used and stored, they are also putting greater responsibility on companies for being good stewards of that data and holding them accountable when they aren’t. But protecting data from malicious actors is everyone’s responsibility. Organizations need the strongest possible cybersecurity defenses. At the same time, individuals need to understand the threats and how to avoid falling victim to them while also taking personal responsibility for, and understanding the impact of, willingly sharing data with services like social networks. If a service seems “free,” you should realize you and your data are the product, so act accordingly. Data will not stay private if we don’t all do our part.”
“What is a significant win for Law enforcement, could in reality be a road bump for the Hive Ransomware group. Whenever law enforcement starts paying too significant attention and effort to a particular group, they often scatter or reorganize under a different name. We have seen these seizes before only for the gang to surface with new extortion sites and Ransomware names, or sometimes as several smaller groups. In the past they have seen these interruptions as temporary setbacks to a very lucrative business – similar to when a drug cartel has a shipment seized. They lose some income, get disrupted but rarely stop their criminal activity to become honest working individuals. Law enforcement in several regions have in the past recovered ransoms paid from other gangs or seized decryption keys, but what is different this time is how many victims the FBI have been able to help and for how long.”
“This is a huge development. In cybersecurity, there is a tendency to be on one’s heels from a defensive posturing standpoint. Concentrated offensive actions such as this expansive takedown not only disrupt the criminal crew’s immediate activities, but also compromises their overall operation by obtaining the encryptions keys to stolen data. This could lead to the recovery of data previously though lost or inaccessible which is a significant victory for authorities. While it’s unlikely to make all victims whole, even a partial recovery of data is promising. Obtaining the keys is one of the biggest wins in this case by far.
“Seizing the infrastructure of one of the world’s most notorious ransomware groups is a big win for law enforcement. But other gangs still exist, so the threat of a ransomware attack today is just as high as it has always been.
When CISOs are reading the news about Hive’s takedown, it would be wise for them to also focus on the data being revealed about the gang’s victims and the financial losses they inflicted. The alarming numbers may be about Hive, but other ransomware gangs that have even more victims under their belt are still in operation and still pose a very real and credible threat today.
Organisations should use this takedown as a warning that ransomware is a damaging threat that is far from over. As the number one route to a ransomware attack is by gaining initial network access, network infrastructure access must be the number one priority,
When it comes to defence tools, access segmentation and encryption provide the greatest protection. These solutions stop data breaches from propagating through networks and morphing into ransomware attacks, while they also help prevent phishing attacks on employees, since they don’t know the passwords they use.”