DOJ ‘disrupts’ Hive ransomware group, as FBI infiltrates network and thwarts ransom demands
The U.S. Department of Justice announced Thursday its ‘months-long disruption’ campaign against the Hive ransomware group that has targeted more than 1,500 victims across over 80 countries around the world. The hackers have since 2021 targeted hospitals, school districts, financial firms, and critical infrastructure, and received over US$100 million in ransom payments.
“Hive ransomware attacks have caused major disruptions in victim daily operations around the world and affected responses to the COVID-19 pandemic,” the DOJ said in a media statement. “In one case, a hospital attacked by Hive ransomware had to resort to analog methods to treat existing patients and was unable to accept new patients immediately following the attack.”
Hive used a ransomware-as-a-service (RaaS) model featuring administrators, sometimes called developers, and affiliates, the DOJ disclosed. “RaaS is a subscription-based model where the developers or administrators develop a ransomware strain and create an easy-to-use interface with which to operate it and then recruit affiliates to deploy the ransomware against victims. Affiliates identified targets and deployed this readymade malicious software to attack victims and then earned a percentage of each successful ransom payment,” it added.
The agency also revealed that the Hive ransomware hackers employed a double-extortion model of attack. Before encrypting the victim system, the affiliate would exfiltrate or steal sensitive data. The affiliate then sought a ransom for both the decryption key necessary to decrypt the victim’s system and a promise to not publish the stolen data. “Hive actors frequently targeted the most sensitive data in a victim’s system to increase the pressure to pay. After a victim pays, affiliates and administrators split the ransom 80/20. Hive published the data of victims who do not pay on the Hive Leak Site,” it added.
After gaining access, Hive ransomware attempted to evade detention by executing processes to identify processes related to backups, antivirus/anti-spyware, and file copying and then terminating those processes to facilitate file encryption.
They also executed processes to stop the volume shadow copy services and remove all existing shadow copies and delete Windows event logs, specifically the system, security and application logs. Prior to encryption, Hive ransomware removes virus definitions and disables all portions of Windows Defender and other common antivirus programs in the system registry.
Since late July, the Federal Bureau of Investigation (FBI) has penetrated Hive’s computer networks, captured its decryption keys, and offered them to victims worldwide, preventing victims from having to pay the $130 million in ransom demanded. “Since infiltrating Hive’s network in July 2022, the FBI has provided over 300 decryption keys to Hive victims who were under attack. In addition, the FBI distributed over 1,000 additional decryption keys to previous Hive victims.”
The exercise culminates with Thursday’s announcement by the DOJ, in coordination with German law enforcement (the German Federal Criminal Police and Reutlingen Police Headquarters-CID Esslingen) and the Netherlands National High Tech Crime Unit, that it has seized control of the servers and websites that Hive uses to communicate with its members, disrupting Hive’s ability to attack and extort victims.
“Last night, the Justice Department dismantled an international ransomware network responsible for extorting and attempting to extort hundreds of millions of dollars from victims in the United States and around the world,” Merrick B. Garland, U.S. Attorney General, said. “Cybercrime is a constantly evolving threat. But as I have said before, the Justice Department will spare no resource to identify and bring to justice, anyone, anywhere, who targets the United States with a ransomware attack. We will continue to work both to prevent these attacks and to provide support to victims who have been targeted. And together with our international partners, we will continue to disrupt the criminal networks that deploy these attacks.”
“The coordinated disruption of Hive’s computer networks, following months of decrypting victims around the world, shows what we can accomplish by combining a relentless search for useful technical information to share with victims with investigation aimed at developing operations that hit our adversaries hard,” Christopher Wray, FBI director, said. “The FBI will continue to leverage our intelligence and law enforcement tools, global presence, and partnerships to counter cybercriminals who target American business and organizations.”
Last November, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) released a joint cybersecurity advisory to disseminate known Hive IOCs (indicators of compromise) and TTPs (tactics, techniques, and procedures) identified through FBI investigations. The HHS said in October 2021 that possible Russian-speaking actors were behind Hive ransomware activity targeting the U.S. healthcare and public health sector.
Commenting on the DOJ’s disruption of the Hive ransomware group, Satnam Narang, senior staff research engineer at Tenable said in an emailed statement that while the action undertaken is a positive one, the members and affiliates from the Hive ransomware group remain a threat.
“The actions undertaken by U.S. agencies to disrupt the Hive ransomware group operation from within is an unprecedented step in the fight against ransomware, which has steadily remained the biggest threat facing most organisations today,” Narang added. “While this may signal the end of the Hive ransomware group, its members and affiliates remain a threat. If there’s anything we’ve learned after past disruptive actions against ransomware groups, it’s that other groups will rise to fill the void left behind.”
Earlier this week, the International Counter Ransomware Taskforce (ICRTF) formally commenced its activities to strengthen international efforts to combat the scourge of ransomware. It will also help build global resilience against malicious cyber actors.
Its mission will complement efforts taken by other Australian agencies. This includes the 100-person joint Australian Federal Police and Australian Signals Directorate operational grouping, tasked with actively thwarting the activities of cybercriminals.
The Taskforce, established in the Department of Home Affairs’ Cyber and Critical Technology Coordination Centre, is part of the 37 country strong U.S.-led Counter Ransomware Initiative (CRI). Last November, CRI members agreed to the establishment of the ICRTF. Australia serves as the inaugural chair and coordinator of the Task Force.
The ICRTF builds on the activities undertaken by the CRI in its first year of operation and will translate this groundwork into decisive results, including cross-sectoral tools, cyber threat intelligence exchanges and collective best practice guidance for countering ransomware. Additionally, the ICRTF will also act as the way through which the CRI connects with industry for defensive and disruptive threat sharing and actions.
Tom Kellermann, CISM, senior vice president of cyber strategy at Contrast Security, wrote in an emailed statement that “today’s disruption of the Russian HIVE ransomware infrastructure underscores the historic international cooperation between law enforcement agencies. The International Ransomware taskforce is having an impact.”
Kellermann added that the real challenge lies in the protection racket that exists between the cybercrime cartels and the Russian regime, which endows them with untouchable status from western law enforcement. “We must recognize that the majority of the proceeds from ransomware allow for Russia to offset economic sanctions,” he added.
Related
