Hive ransomware servers shut down at last, says FBI
Six
months
ago,
according
to
the
US
Department
of
Justice
(DOJ),
the
Federal
Bureau
of
Investigation
(FBI)
infiltrated
the
Hive
ransomware
gang
and
started
“stealing
back”
the
decryption
keys
for
victims
whose
files
had
been
scrambled.
As
you
are
almost
certainly,
and
sadly,
aware,
ransomware
attacks
these
days
typically
involve
two
associated
groups
of
cybercriminals.
These
groups
often
“know”
each
other
only
by
nicknames,
and
“meet”
only
online,
using
anonymity
tools
to
avoid
actually
knowing
(or
revealing,
whether
by
accident
or
design)
each
others’
real-life
identities
and
locations.
The
core
gang
members
stay
largely
in
the
background,
creating
malicious
programs
that
scramble
(or
otherwise
block
access
to)
all
your
important
files,
using
an
access
key
that
they
keep
to
themselves
after
the
damage
is
done.
They
also
run
one
or
more
darkweb
“payment
pages”
where
victims,
loosely
speaking,
go
to
pay
blackmail
money
in
return
for
those
access
keys,
thus
allowing
them
to
unlock
their
frozen
computers,
and
get
their
companies
running
again.
Crimeware-as-a-Service
This
core
group
is
surrounded
by
a
possibly
large
and
ever-changing
group
of
“affiliates”
–
partners
in
crime
who
break
into
other
people’s
networks
in
order
to
implant
the
core
gang’s
“attack
programs”
as
widely
and
deeply
as
possible.
Their
goal,
motivated
by
a
“commission
fee”
that
may
be
as
much
as
80%
of
the
total
blackmail
paid,
is
to
create
such
widespread
and
sudden
disruption
to
a
business
that
they
can
not
only
demand
an
eye-watering
extortion
payment,
but
also
to
leave
the
victim
with
little
choice
but
to
pay
up.
This
arrangement
is
generally
known
as
RaaS
or
CaaS,
short
for
ransomware
(or
crimeware)
as-a-service,
a
name
that
stands
as
an
ironic
reminder
that
the
cybercriminal
underworld
is
happy
to
copy
the
affiliate
or
franchise
model
used
by
many
legitimate
businesses.
Recovering
without
paying
There
are
three
main
ways
that
victims
can
get
their
businesses
back
on
the
rails
without
paying
up
after
a
successful
network-wide
file-lockout
attack:
-
Have
a
robust
and
efficient
recovery
plan.
Generally
speaking,
this
means
not
only
having
a
top-notch
process
for
making
backups,
but
also
knowing
how
to
keep
at
least
one
backup
copy
of
everything
safe
from
the
ransomware
affiliates
(they
like
nothing
better
than
to
find
and
destroy
your
online
backups
before
unleashing
the
final
phase
of
their
attack).
You
also
need
to
have
practised
how
to
restore
those
backups
reliably
and
quickly
enough
that
doing
so
is
a
viable
alternative
to
simply
paying
up
anyway. -
Find
a
flaw
in
the
file
lockout
process
used
by
the
attackers.
Usually,
ransomware
crooks
“lock”
your
files
by
encrypting
them
with
the
very
same
sort
of
secure
cryptography
that
you
might
use
yourself
when
securing
your
web
traffic
or
your
own
backups.
Occasionally,
however,
the
core
gang
makes
one
or
more
programming
blunders
that
may
allow
you
to
use
a
free
tool
to
“crack”
the
decryption
and
recover
without
paying.
Be
aware,
however,
that
this
path
to
recovery
happens
by
luck,
not
by
design. -
Get
hold
of
the
actual
recovery
passwords
or
keys
in
some
other
way.
Although
this
is
rare,
there
are
several
ways
it
can
happen,
such
as:
identifying
a
turncoat
inside
the
gang
who
will
leak
the
keys
in
a
fit
of
conscience
or
a
burst
of
spite;
finding
a
network
security
blunder
allowing
a
counter-attack
to
extract
the
keys
from
the
crooks’
own
hidden
servers;
or
infiltrating
the
gang
and
getting
undercover
access
to
the
needed
data
in
the
criminals’
network.
The
last
of
these,
infiltration,
is
what
the
DOJ
says
it’s
been
able
to
do
for
at
least
some
Hive
victims
since
July
2022,
apparently
short-circuiting
blackmail
demands
totalling
more
than
$130
million
dollars,
relating
to
more
than
300
individual
attacks,
in
just
six
months.
We’re
assuming
that
the
$130
million
figure
is
based
on
the
attackers’
initial
demands;
ransomware
crooks
sometimes
end
up
agreeing
to
lower
payments,
preferring
to
take
something
rather
than
nothing,
although
the
“discounts”
offered
often
seem
to
reduce
the
payments
only
from
unaffordably
vast
to
eye-wateringly
huge.
The
mean
average
demand
based
on
the
figures
above
is
$130M/300,
or
close
to
$450,000
per
victim.
Hospitals
considered
fair
targets
As
the
DOJ
points
out,
many
ransomware
gangs
in
general,
and
the
Hive
crew
in
particular,
treat
any
and
all
networks
as
fair
game
for
blackmail,
attacking
publicly-funded
organisations
such
as
schools
and
hospitals
with
just
the
same
vigour
that
they
use
against
the
wealthiest
commercial
companies:
[T]he
Hive
ransomware
group
[…]
has
targeted
more
than
1500
victims
in
over
80
countries
around
the
world,
including
hospitals,
school
districts,
financial
firms,
and
critical
infrastructure.
Unfortunately,
even
though
infiltrating
a
modern
cybercrime
gang
might
give
you
fantastic
insights
into
the
gang’s
TTPs
(tools,
techniques
and
procedures),
and
–
as
in
this
case
–
give
you
a
chance
of
disrupting
their
operations
by
subverting
the
blackmail
process
on
which
those
eye-watering
extortion
demands
are
based…
…knowing
even
a
gang
administrator’s
password
to
the
criminals’
darkweb-based
IT
infrastructure
generally
doesn’t
tell
you
where
that
infrastructure
is
based.
Bidirectional
pseudoanonymity
One
of
the
great/terrible
aspects
of
the
darkweb
(depending
on
why
you’re
using
it,
and
which
side
you
are
on),
notably
the
Tor
(short
for
the
onion
router)
network
that
is
widely
favoured
by
today’s
ransomware
criminals,
is
what
you
might
call
its
bidirectional
pseudoanonymity.
The
darkweb
doesn’t
just
shield
the
identity
and
location
of
the
users
who
connect
to
servers
hosted
on
it,
but
also
hides
the
location
of
the
servers
themselves
from
the
clients
who
visit.
The
server
(for
the
most
part,
at
least)
doesn’t
know
who
you
are
when
you
log
in,
which
is
what
attracts
clients
such
as
cybercrime
affiliates
and
would-be
darkweb
drug
buyers,
because
they
tend
to
feel
that
they’ll
be
able
to
cut-and-run
safely,
even
if
the
core
gang
operators
get
busted.
Similarly,
rogue
server
operators
are
attracted
by
the
fact
that
even
if
their
clients,
affiliates
or
own
sysadmins
get
busted,
or
turned,
or
hacked
by
law
enforcement,
they
won’t
be
able
to
reveal
who
the
core
gang
members
are,
or
where
they
host
their
malicious
online
activities.
Takedown
at
last
Well,
it
seems
that
the
reason
for
yesterday’s
DOJ
press
release
is
that
FBI
investigators,
with
the
assistance
of
law
enforcement
in
both
Germany
and
the
Netherlands,
have
now
identified,
located
and
seized
the
darkweb
servers
that
the
Hive
gang
were
using:
Finally,
the
department
announced
today[2023-01-26]
that,
in
coordination
with
German
law
enforcement
(the
German
Federal
Criminal
Police
and
Reutlingen
Police
Headquarters-CID
Esslingen)
and
the
Netherlands
National
High
Tech
Crime
Unit,
it
has
seized
control
of
the
servers
and
websites
that
Hive
uses
to
communicate
with
its
members,
disrupting
Hive’s
ability
to
attack
and
extort
victims.
What
to
do?
We
wrote
this
article
to
applaud
the
FBI
and
its
law
enforcement
partners
in
Europe
for
getting
this
far…
…investigating,
infiltrating,
reconnoitering,
and
finally
striking
to
implode
the
current
infrastructure
of
this
notorious
ransomware
crew,
with
their
half-million-dollars-on-average
blackmail
demands,
and
their
willingness
to
take
out
hospitals
just
as
readily
as
they
go
after
anyone
else’s
network.
Unfortunately,
you’ve
probably
already
heard
the
cliche
that
cybercrime
abhors
a
vacuum,
and
that
is
sadly
true
for
ransomware
operators
as
much
as
it
is
for
any
other
aspect
of
online
criminality.
If
the
core
gang
members
aren’t
arrested,
they
may
simply
lie
low
for
a
while,
and
then
spring
up
under
a
new
name
(or
perhaps
even
deliberately
and
arrogantly
revive
their
old
“brand”)
with
new
servers,
accessible
once
again
on
the
darkweb
but
at
a
new
and
now
unknown
location.
Or
other
ransomware
gangs
will
simply
ramp
up
their
operations,
hoping
to
attract
some
of
the
“affiliates”
that
were
suddenly
left
without
their
lucratively
unlawful
revenue
stream.
Either
way,
takedowns
like
this
are
something
we
urgently
need,
that
we
need
to
cheer
when
they
happen,
but
that
are
unlikely
to
put
more
than
a
temporary
dent
in
cybercriminality
as
a
whole.
To
reduce
the
amount
of
money
that
ransomware
crooks
are
sucking
out
of
our
economy,
we
need
to
aim
for
cybercrime
prevention,
not
merely
cure.
Detecting,
responding
to
and
thus
preventing
potential
ransomware
attacks
before
they
start,
or
while
they’re
unfolding,
or
even
at
the
very
last
moment,
when
the
crooks
to
try
unleash
the
final
file-scrambling
process
across
your
network,
is
always
better
than
the
stress
of
trying
to
recover
from
an
actual
attack.
As
Mr
Miagi,
of
Karate
Kid
fame,
knowingly
remarked,
“Best
way
to
avoid
punch
–
no
be
there.”
LISTEN
NOW:
A
DAY
IN
THE
LIFE
OF
A
CYBERCRIME
FIGHTER
Paul
Ducklin
talks
to
Peter
Mackenzie,
Director
of
Incident
Response
at
Sophos,
in
a
cybersecurity
session
that
will
alarm,
amuse
and
educate
you,
all
in
equal
measure.
Learn
how
to
stop
ransomware
crooks
before
they
stop
you!
(Full
transcript
available.)
Click-and-drag
on
the
soundwaves
below
to
skip
to
any
point.
You
can
also
listen
directly
on
Soundcloud.
Short
of
time
or
expertise
to
take
care
of
cybersecurity
threat
response?
Worried
that
cybersecurity
will
end
up
distracting
you
from
all
the
other
things
you
need
to
do?
Not
sure
how
to
respond
to
security
reports
from
employees
who
are
genuinely
keen
to
help?
Learn
more
about
Sophos
Managed
Detection
and
Response:
24/7
threat
hunting,
detection,
and
response ▶
About Author
.png "Prevent Generative AI Data Leaks with Chrome Enterprise DLP")
