In one August 2021 case, a nonprofit Ohio community of hospitals needed to cancel pressing surgical procedures as its employees moved to paper charts. Other victims included a Florida heavy equipment firm that needed to shut down briefly, a number of legislation corporations, and a New Jersey tech firm whose clients had their information stolen, in line with an FBI affidavit.
Garland, FBI Director Christopher A. Wray and their high deputies described the dismantling of Hive as a significant victory within the authorities’s efforts to combat ransomware with novel strategies. Law enforcement was capable of hack Hive and infiltrate its networks for seven months, officers mentioned, stealing the decryption keys and quietly giving them to 336 victims earlier than taking full management of Hive servers within the United States and Europe, knocking them offline and stopping new infections.
U.S. officers credited German and Dutch authorities and Europol for serving to within the case. German police and prosecutors mentioned in a press release that they have been capable of penetrate the hackers’ know-how infrastructure as they investigated an assault on an organization in southern Germany. They mentioned they succeeded as a result of victims didn’t pay the ransom and as an alternative filed fees with the police.
Only about 20 % of Hive’s U.S. victims notified authorities, Wray mentioned, however the FBI may determine others from the infrastructure and labored to assist them as nicely. At instances, it was capable of contact sufferer organizations, together with one college, earlier than the encryption had been deployed.
Officials mentioned they haven’t made any arrests, and they didn’t say they’d seized any proceeds from the ransoms, however the investigation is constant.
“Cybercrime is a constantly evolving threat,” Garland mentioned. “But as I have said before, the Justice Department will spare no resource to identify and bring to justice anyone, anywhere, who targets the United States with a ransomware attack.”
Officials have prior to now recovered some ransom to different gangs or retrieved decryption keys, Wray mentioned, however have by no means earlier than been capable of assist so many victims for thus lengthy.
Hive ransomware was first detected in June 2021. It quickly grew to become one of the vital lively ransom networks within the United States, notable for attacking delicate organizations that many rival gangs averted.
Hive’s method included what has been termed “double extortion,” in that it will cost a charge to launch a decryption key in order that targets may get better entry to their information and would additionally cost to not publish affected person info and different essential information on a website devoted to such leaks that has now been shut down.
By the variety of publicly listed targets, Hive ranked among the many high 10 most prolific actors, researchers mentioned, with about half of its victims within the United States.
Officials mentioned that the FBI and its legislation enforcement allies have been serving to victims regain entry to their recordsdata with out paying the ransoms since July 2022, saving greater than $130 million in funds.
“We hacked the hackers,” Deputy Attorney General Lisa Monaco mentioned. “We turned the table on Hive.”
Researchers mentioned Hive’s gang included veterans of one of the vital infamous Russian-speaking ransomware gangs, Conti. Conti splintered after a Ukrainian member leaked inside chats that exposed leaders bragged of contacts with Russia’s Federal Security Service (FSB).
“That doesn’t necessarily mean they were controlled by the Russian government,” mentioned Allan Liska, intelligence analyst at safety firm Recorded Future. “But most of these groups headquartered in Russia at least operate with the tacit approval of the Russian government and likely have these loose government contacts.”
Hive’s public however “dark Web” website, unreachable by common web browsers, confirmed that it had been seized, and its back-end servers have been additionally unreachable Thursday, Liska mentioned, primarily placing it out of enterprise.
Other gangs have been capable of transfer to new infrastructure and regroup prior to now, nonetheless, and that might occur with Hive as nicely.
“Actions like this add friction to ransomware operations. Hive may have to regroup, retool, and even rebrand,”: said John Hultquist, head of Mandiant Threat Intelligence at Google. “When arrests aren’t possible, we’ll have to focus on tactical solutions and better defense. Until we can address the Russian safe haven and the resilient cybercrime marketplace, this will have to be our focus.”
correction
An earlier model of this story mentioned incorrectly that Hive was found in 2001. It was detected in 2021. This model has been corrected.