While the Hive ransomware operation was infiltrating servers, exfiltrating data, and demanding ransom payments from their victims, their activities were being observed from within. The FBI has had access to Hive’s ransomware servers since July 2022 and was learning about the group’s methods and has been helping victims recover without paying the ransom. The FBI was biding time until the ideal moment to strike and strike it did. The Department of Justice (DOJ) has announced that the Hive ransomware gang’s digital infrastructure has been seized, including the group’s Tor payment site, data leak site, and the infrastructure used by the group’s leadership and affiliates for communications.
The Hive ransomware gang was one of the most active and aggressive ransomware-as-a-service (RaaS) operations, having conducted more than 1,500 attacks on entities in over 80 countries in less than two years. While some ransomware actors have terms and conditions preventing their affiliates from conducting attacks on the healthcare sector, that was not the case with Hive, which has conducted many attacks on hospitals and health systems, along with schools, financial firms, and critical infrastructure entities. Healthcare victims include Consulate Health, Lake Charles Memorial Health, Tift Regional Medical Center, Greenway Health, Johnson Memorial Health, Partnership HealthPlan, First Choice Community Healthcare, and Missouri Delta Medical Center.
The Hive gang has been active since at least June 2021 and is believed to have generated in excess of $100 million in ransom payments. The group is known to gain initial access to networks through a range of techniques, including phishing, stolen credentials, remote desktop protocol, VPNs, and by exploiting vulnerabilities in Internet-exposed devices. After gaining access to networks, the group moves laterally, identifies data of interest, exfiltrates files, and then demands payment for the decryption keys and to prevent the publication of stolen data. If victims refuse to pay, the stolen data are publicly released on its data leak site.
The takedown of the group’s infrastructure came at the end of a months-long infiltration of its infrastructure, with assistance provided by Europol, the U.S. Secret Service, the U.S. Attorney’s Office for the Eastern District of Virginia, the U.S. Attorney’s Office for the Central District of California, and law enforcement agencies in Germany, the Netherlands. The FBI gained access to two dedicated servers and one virtual server hosted by a Californian hosting provider, which were being leased by the gang, and law enforcement in the Netherlands assisted with the seizure of two backup servers hosted in the country. The servers were being used to host the main data leak site, negotiation site, and the Internet interfaces used by the members and affiliates.
The FBI obtained information on planned attacks and contacted victims to warn them, and during the past 6 months has prevented approximately $130 million in ransom payments. The FBI has obtained the decryption keys for approximately 300 victims that were currently under attack and has distributed approximately 1,000 decryption keys to previous victims. The FBI also obtained records of communications, malware file hash values, and information on 250 affiliates that were conducting attacks for the gang, along with a list of past victims. The websites used by the gang now display a notice rotating in English and Russian warning that the sites have been seized.
“The Department of Justice’s disruption of the Hive ransomware group should speak as clearly to victims of cybercrime as it does to perpetrators,” said Deputy Attorney General Lisa O. Monaco. “In a 21st century cyber stakeout, our investigative team turned the tables on Hive, swiping their decryption keys, passing them to victims, and ultimately averting more than $130 million dollars in ransomware payments. We will continue to strike back against cybercrime using any means possible and place victims at the center of our efforts to mitigate the cyber threat.”
The Hive group communicates in Russian and is believed to operate out of the country. There is no extradition treaty between Russia and the United States, and Russia has previously been reluctant to take action against ransomware gangs operating within its borders. The information obtained on members and the gang and affiliates is likely to lead to indictments, although it may prove difficult to bring those individuals to justice. While the operation has caused considerable disruption to the Hive operation, the group is well-resourced and has obtained significant sums in ransom payments so it is probable that the infrastructure will be rebuilt and operations will recommence under a different name. Even so, this is a major achievement and has prevented many damaging attacks on the healthcare sector.
“The disruption of the Hive service won’t cause a serious drop in overall ransomware activity but it is a blow to a dangerous group that has endangered lives by attacking the healthcare system. Unfortunately, the criminal marketplace at the heart of the ransomware problem ensures a Hive competitor will be standing by to offer a similar service in their absence, but they may think twice before allowing their ransomware to be used to target hospitals.” John Hultquist, Head of Mandiant Threat Intelligence, Google Cloud explained to HIPAA Journal. “Actions like this add friction to ransomware operations. Hive may have to regroup, retool, and even rebrand. When arrests aren’t possible, we’ll have to focus on tactical solutions and better defense. Until we can address the Russian safehaven and the resilient cybercrime marketplace, this will have to be our focus.”
The post Hive Ransomware Operation Disrupted as FBI Seizes the Gang’s Infrastructure appeared first on HIPAA Journal.