Europol supports global law enforcement agencies to shut down Hive ransomware affiliates
Europol supported the German, Dutch, and U.S. authorities in disrupting and taking down the infrastructure used by Hive ransomware affiliates, involving law enforcement authorities from a total of 13 countries. The agency supported the shutting down of servers and provided decryption tools to victims. Law enforcement teams were able to identify the decryption keys and shared them with many of the victims, helping them regain access to their data without paying ransomware to the cybercriminals.
Europol said in a media statement Thursday that it streamlined victim mitigation efforts with other EU countries, which prevented private companies from falling victim to Hive ransomware. “Law enforcement provided the decryption key to companies which had been compromised in order to help them decrypt their data without paying the ransom. This effort has prevented the payment of more than USD 130 million or the equivalent of about EUR 120 million of ransom payments,” it added.
Since June 2021, criminals have used Hive ransomware to target various businesses and critical infrastructure sectors, including government facilities, telecommunication companies, manufacturing, IT, and healthcare and public health, Europol said. In one major attack, Hive affiliates targeted a hospital, which led to severe repercussions regarding how the hospital could deal with the COVID-19 pandemic. Due to the attack, this hospital had to resort to analog methods to treat existing patients and was unable to accept new ones.
Europol facilitated the information exchange, supported the coordination of the operation, and funded operational meetings in Portugal and the Netherlands. Europol also provided analytical support linking available data to various criminal cases within and outside the EU and supported the investigation through cryptocurrency, malware, decryption, and forensic analysis.
On the action days, Europol deployed four experts to help coordinate the activities on the ground. Europol supported the law enforcement authorities involved by coordinating the cryptocurrency and malware analysis, cross-checking operational information against Europol’s databases, and further operational analysis and forensic support.
Furthermore, analysis of this data and other related cases is expected to trigger further investigative activities. The Joint Cybercrime Action Taskforce (J-CAT) at Europol also supported the operation. This standing operational team consists of cybercrime liaison officers from different countries who work on high-profile cybercrime investigations.
Europol listed the law enforcement agencies involved as Canada: Royal Canadian Mounted Police (RCMP) & Peel Regional Police; France: National Police (Police Nationale); Germany: Federal Criminal Police Office (Bundeskriminalamt) and Police Headquarters Reutlingen – CID Esslingen (Polizei BW); Ireland: National Police (An Garda Síochána); Lithuania: Criminal Police Bureau (Kriminalinės Policijos Biuras); Netherlands – National Police (Politie); Norway: National Police (Politiet); Portugal: Judicial Police (Polícia Judiciária); Romania: Romanian Police (Poliția Română – DCCO); Spain: Spanish Police (Policía Nacional); Sweden: Swedish Police (Polisen); U.K. – National Crime Agency; and U.S. – United States Secret Service, Federal Bureau of Investigation.
On Thursday, the U.S. Department of Justice announced its ‘months-long disruption’ campaign against the Hive ransomware group that has targeted more than 1,500 victims across over 80 countries around the world. Additionally, since late July, the FBI has penetrated Hive’s computer networks, captured its decryption keys, and offered them to victims worldwide, preventing victims from having to pay the $130 million in ransom demanded.
Headquartered in The Hague, Netherlands, Europol supports 27 EU member states in their fight against terrorism, cybercrime, and other serious and organized crime forms. The agency said that over the last year, Hive ransomware has been identified as a major threat as it has been used to compromise and encrypt the data and computer systems of large IT and oil multinationals in the EU and the U.S. Since June 2021, over 1 500 companies from over 80 countries worldwide have fallen victim to Hive associates and lost almost EUR 100 million in ransom payments.
“Affiliates executed the cyberattacks, but the HIVE ransomware was created, maintained and updated by developers. Affiliates used the double extortion model of ‘ransomware-as-a-service’; first, they copied data and then encrypted the files,” according to Europol. “Then, they asked for a ransom to both decrypt the files and to not publish the stolen data on the Hive Leak Site. When the victims paid, the ransom was then split between affiliates (who received 80%) and developers (who received 20%).”
Other dangerous ransomware groups have also used this so-called RaaS model to perpetrate high-level attacks in the last few years. This has included asking for millions of euros in ransoms to decrypt affected systems, often in companies maintaining critical infrastructures.
The ransomware affiliates attacked companies in different ways. Some Hive hackers gained access to victims’ networks by using single-factor logins via remote desktop protocol, virtual private networks, and other remote network connection protocols. In other cases, Hive actors bypassed multi-factor authentication and gained access by exploiting vulnerabilities, according to Europol.
“This enabled malicious cybercriminals to log in without a prompt for the user’s second authentication factor by changing the case of the username,” the agency said. “Some HIVE actors also gained initial access to victim’s networks by distributing phishing emails with malicious attachments and by exploiting the vulnerabilities of the operating systems of the attacked devices,” it added.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
