FBI takes down Hive ransomware group

Working
with
international
law
enforcement,
the
FBI
said
it
has
seized
control
of
the
servers
the
Hive
group
uses
to
communicate
with
members.

FBI takes down Hive ransomware group

Working
with
international
law
enforcement,
the
FBI
said
it
has
seized
control
of
the
servers
the
Hive
group
uses
to
communicate
with
members.

FBI takes down Hive ransomware group
Image:
iStockphoto/domoyega

The
FBI
has
revealed
the
results
of
a
month-long
campaign
designed
to
thwart
an
infamous
ransomware
group
known
for
extorting
hospitals,
school
districts
and
critical
infrastructure.
On
Thursday,
the
agency
announced
that
it
had
worked
with
law
enforcement
agencies
in
Germany
and
the
Netherlands
to

take
control
of
the
servers
used
by
the
Hive
criminal
gang

to
communicate
with
its
members,
thus
cutting
off
its
ability
to
extort
its
victims.

The
group’s
dark
web
site
now
displays
a
message
in
both
English
and
Russian
stating:
“This
hidden
site
has
been
seized.
The
Federal
Bureau
of
Investigation
seized
this
site
as
part
of
a
coordinated
law
enforcement
action
taken
against
Hive
Ransomware.”


SEE:

Ransomware
attacks
are
decreasing,
but
companies
remain
vulnerable

(TechRepublic)

Another
message
indicates
that
this
action
was
taken
by
the
United
States
Attorney’s
Office
for
the
Middle
District
of
Florida
and
the
Computer
Crime
and
Intellectual
Property
Section
of
the
Department
of
Justice
with
substantial
assistance
from
Europol.


Jump
to:

Takedown
of
Hive’s
website
is
the
latest
step

The
takedown
of
the
Hive
website
is
just
the
latest
in
a
series
of
steps
aimed
at
disrupting
the
group’s
capabilities.
The
FBI
said
that
since
late
July
of
2022,
it
has
penetrated
the
gang’s
computer
networks,
captured
its
decryption
keys
and
provided
those
keys
to
victims
around
the
world.

Offering
the
decryption
keys
to
Hive
victims
is
a
crucial
action,
as
it
has
saved
them
from
collectively
paying
a
ransom
amount
of
$130
million.
Since
the
FBI’s
campaign
started,
more
than
300
decryption
keys
have
been
given
to
Hive
victims
under
attack,
while
more
than
1,000
were
provided
to
victims
of
the
gang’s
previous
attacks.

“Cybercriminals
utilize
sophisticated
technologies
to
prey
upon
innocent
victims
worldwide,”
said
U.S.
Attorney
Roger
Handberg
for
the
Middle
District
of
Florida.
“Thanks
to
the
exceptional
investigative
work
and
coordination
by
our
domestic
and
international
law
enforcement
partners,
further
extortion
by
Hive
has
been
thwarted,
critical
business
operations
can
resume
without
interruption,
and
millions
of
dollars
in
ransom
payments
were
averted.”

History
of
Hive

Surfacing
in
2021,
Hive
launched
a
series
of
attacks
that
quickly
made
it
one
of
the
most

active
and
prominent
ransomware
groups
.
Employing
the
ransomware-as-a-service
model,
Hive
develops
the
necessary
ransomware
tools
and
technologies
and
then
recruits
affiliates
to
carry
out
the
actual
attacks.
After
the
ransom
is
received,
Hive
affiliates
and
administrators
split
the
money
80/20,
according
to
the
FBI.

Using
the
RaaS
model,
Hive
has
targeted
a
variety
of
sectors,
including
hospitals,
school
districts,
financial
firms
and
critical
infrastructure.
Since
June
of
2021,
the
group
has
targeted
more
than
1,500
victims
globally
and
captured
more
than
$100
million
in
ransom
payments.

Tactics
of
Hive

Hive
is
known
for
double
extortion
tactics
in
which
the
attackers
not
only
decrypt
the
data
to
prevent
its
victims
from
accessing
it
but
threaten
to
publicly
leak
the
information
unless
the
ransom
is
paid.
The
group
has
already
published
data
stolen
from
victims
on
its
leak
website.

Hive
affiliates
gain
access
to
the
networks
of
intended
victims
through

different
methods
,
according
to
the
U.S.
Cybersecurity
and
Infrastructure
Security
Agency.
In
some
cases,
the
attackers
sneak
in
through
single-factor
account
logins
using
Remote
Desktop
Protocol,
virtual
private
networks
or
other
remote
connection
protocols.

In
other
cases,
they
exploit
vulnerabilities
in

FortiToken
authentication
products
.
And
another
common
tactic
involves
sending
phishing
emails
with
malicious
file
attachments.

Challenges
in
taking
down
ransomware
groups

Ransomware
groups
are
difficult
to
fully
wipe
out
because
the
members
tend
to
resurface
in
other
groups
and
capacities.
But,
the
efforts
by
the
FBI
and
other
law
enforcement
agencies
are
designed
to
hit
them
on
several
fronts.

“While
this
is
definitely
a
win,
this
is
by
no
means
the
end
of
ransomware,”
said
Jordan
LaRose,
practice
director
for
infrastructure
security
at
security
consulting
firm
NCC
Group.
“We
have
already
seen
a

reemergence
from
REvil
,
and
Hive
will
likely
follow
suit
in
some
form.


SEE:

The
most
dangerous
and
destructive
ransomware
groups
of
2022

(TechRepublic)

“But,
takedowns
like
these
doubtlessly
deter
attackers
and
potential
payees
and
increase
awareness
of
the
long-term
effects
of
paying
attackers.”

Collaboration
and
cooperation
among
different
law
enforcement
entities
around
the
world
is
key
to
winning
the
battle
against
ransomware
attackers,
LaRose
added.
Also
of
great
help
is
the
ability
of
security
experts
to
provide
critical
threat
intelligence
to
the
FBI
and
other
organizations.

Recommendations
to
combat
ransomware

“For
vulnerable
organizations,
this
is
why
the
primary
focus
must
be
getting
their
system
back
up
and
running
after
an
attack,”
said
Caroline
Seymour,
vice
president
of
product
marketing
for
disaster
recovery
firm
Zerto.
“When
a
service
provider
is
disabled
and
access
to
data
is
held
in
exchange
for
ransom,
the
best
way
to
fight
back
and
get
up
and
running
again
is
to
have
a
recovery
solution
in
place
that
protects
systems
from
disruption
and
provides
a
path
to
instant
recovery.”

However,
many
organizations
turn
to
backups
that
are
a
day
or
even
a
week
old
to
restore
their
data,
Seymour
added.
That
leads
to
gaps
and
data
loss
that
can
impact
the
business
and
add
to
the
overall
cost
of
recovery.

“The
key
is
having
a
solution
that’s
always
on
with
enough
granularity
to
recover
to
a
point
in
time
precisely
before
the
attack
occurred
without
time
gaps,”
Seymour
said.
“The
best
solution
will
be
one
that
uses
continuous
data
protection
and
keeps
valuable
data
protected
in
real
time.”


Read
next:

Following
year-end
ransomware
storm,
leaders
batten
hatches
for
sea
of
troubles
in
2023

(TechRepublic)

About Author

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.