The FBI has revealed the results of a month-long campaign designed to thwart an infamous ransomware group known for extorting hospitals, school districts and critical infrastructure. On Thursday, the agency announced that it had worked with law enforcement agencies in Germany and the Netherlands to take control of the servers used by the Hive criminal gang to communicate with its members, thus cutting off its ability to extort its victims.
The group’s dark web site now displays a message in both English and Russian stating: “This hidden site has been seized. The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Hive Ransomware.”
SEE: Ransomware attacks are decreasing, but companies remain vulnerable (TechRepublic)
Another message indicates that this action was taken by the United States Attorney’s Office for the Middle District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice with substantial assistance from Europol.
- Takedown of website is latest step
- History of Hive
- Tactics of Hive
- Challenges in taking down ransomware groups
- Recommendations to combat ransomware
Takedown of Hive’s website is the latest step
The takedown of the Hive website is just the latest in a series of steps aimed at disrupting the group’s capabilities. The FBI said that since late July of 2022, it has penetrated the gang’s computer networks, captured its decryption keys and provided those keys to victims around the world.
Offering the decryption keys to Hive victims is a crucial action, as it has saved them from collectively paying a ransom amount of $130 million. Since the FBI’s campaign started, more than 300 decryption keys have been given to Hive victims under attack, while more than 1,000 were provided to victims of the gang’s previous attacks.
“Cybercriminals utilize sophisticated technologies to prey upon innocent victims worldwide,” said U.S. Attorney Roger Handberg for the Middle District of Florida. “Thanks to the exceptional investigative work and coordination by our domestic and international law enforcement partners, further extortion by Hive has been thwarted, critical business operations can resume without interruption, and millions of dollars in ransom payments were averted.”
History of Hive
Surfacing in 2021, Hive launched a series of attacks that quickly made it one of the most active and prominent ransomware groups. Employing the ransomware-as-a-service model, Hive develops the necessary ransomware tools and technologies and then recruits affiliates to carry out the actual attacks. After the ransom is received, Hive affiliates and administrators split the money 80/20, according to the FBI.
Using the RaaS model, Hive has targeted a variety of sectors, including hospitals, school districts, financial firms and critical infrastructure. Since June of 2021, the group has targeted more than 1,500 victims globally and captured more than $100 million in ransom payments.
Tactics of Hive
Hive is known for double extortion tactics in which the attackers not only decrypt the data to prevent its victims from accessing it but threaten to publicly leak the information unless the ransom is paid. The group has already published data stolen from victims on its leak website.
Hive affiliates gain access to the networks of intended victims through different methods, according to the U.S. Cybersecurity and Infrastructure Security Agency. In some cases, the attackers sneak in through single-factor account logins using Remote Desktop Protocol, virtual private networks or other remote connection protocols.
In other cases, they exploit vulnerabilities in FortiToken authentication products. And another common tactic involves sending phishing emails with malicious file attachments.
Challenges in taking down ransomware groups
Ransomware groups are difficult to fully wipe out because the members tend to resurface in other groups and capacities. But, the efforts by the FBI and other law enforcement agencies are designed to hit them on several fronts.
“While this is definitely a win, this is by no means the end of ransomware,” said Jordan LaRose, practice director for infrastructure security at security consulting firm NCC Group. “We have already seen a reemergence from REvil, and Hive will likely follow suit in some form.
SEE: The most dangerous and destructive ransomware groups of 2022 (TechRepublic)
“But, takedowns like these doubtlessly deter attackers and potential payees and increase awareness of the long-term effects of paying attackers.”
Collaboration and cooperation among different law enforcement entities around the world is key to winning the battle against ransomware attackers, LaRose added. Also of great help is the ability of security experts to provide critical threat intelligence to the FBI and other organizations.
Recommendations to combat ransomware
“For vulnerable organizations, this is why the primary focus must be getting their system back up and running after an attack,” said Caroline Seymour, vice president of product marketing for disaster recovery firm Zerto. “When a service provider is disabled and access to data is held in exchange for ransom, the best way to fight back and get up and running again is to have a recovery solution in place that protects systems from disruption and provides a path to instant recovery.”
However, many organizations turn to backups that are a day or even a week old to restore their data, Seymour added. That leads to gaps and data loss that can impact the business and add to the overall cost of recovery.
“The key is having a solution that’s always on with enough granularity to recover to a point in time precisely before the attack occurred without time gaps,” Seymour said. “The best solution will be one that uses continuous data protection and keeps valuable data protected in real time.”
Read next: Following year-end ransomware storm, leaders batten hatches for sea of troubles in 2023 (TechRepublic)