FBI Disrupts ‘Hive’ Ransomware Group
By Aruna Viswanatha and Dustin Volz, Jan. 26, 2023, WSJ

U.S. authorities seized the servers of the notorious Hive ransomware group after entering its networks and capturing keys to decrypt its software, the Justice Department said Thursday, calling its effort a “21st-century cyber stakeout.”

The group linked to Hive ransomware is widely seen by authorities and cybersecurity experts as one of the most prolific and dangerous cybercriminal actors in recent years. It has been linked to attacks on more than 1,500 victims including hospitals and
schools—and has extorted more than $100 million in ransom payments, the Justice Department said.

In an operation that began in the summer in Tampa, Fla., Federal Bureau of Investigation agents infiltrated Hive’s network and used the access to identify victims and provide them keys with which to take back control of their networks, officials said.
The effort blocked some $130 million in demanded ransoms, department officials said.

“The FBI and our prosecutors have been inside the network of one of the world’s most prolific ransomware variants,” Deputy Attorney General Lisa Monaco said. “We hacked the hackers.”

Officials didn’t announce arrests Thursday but said their investigation was still under way. They declined to specify where the people behind the Hive ransomware were based. Experts have said the majority of criminal ransomware groups are based in
Eastern Europe, particularly in Russia and Russian-speaking countries.

In coordinated operations on Wednesday, German and Dutch police also seized servers associated with the group. Hive’s website was inaccessible Thursday, flashing a message stating it had been seized as part of a law-enforcement action.

Ransomware is a type of malicious code that infiltrates victim’s computer networks and locks up important files. Hackers then demand payment—often in bitcoin or another cryptocurrency—to release the files. The Hive group was known to punish victims
who managed to restore their systems by infiltrating them again and reinfecting them with another variant.

Among its more notable traits, the Hive group, which researchers say has only been active for a couple of year, was often blamed for targeting hospital networks and forcing disruptions to patient care.

The group favored a ransomware-as-a-service model in which a core group of developers sell their ransomware code to affiliates, who then target victim networks. Such a profit-sharing arrangement has made it more difficult, at times, to identify hackers
behind a ransomware group, officials and experts have said.

The Hive was responsible for a summer 2021 attack on a Midwest hospital that forced the facility to stop accepting new patients and use paper records, Attorney General Merrick Garland said, adding that the group most recently targeted victims in Florida
and California in the past month.

The Biden admin began viewing ransomware as a top national-security threat in the wake of the 2021 cyberattack on Colonial Pipeline, which led to a shutdown of the largest conduit of fuel on the East Coast for several days. That attack, like many of the
ransomware threats that target the U.S. and its allies, was blamed on a Russia-speaking criminal cyber gang.

At the time, FBI Director Christopher Wray said the agency was investigating about 100 different types of ransomware, many tracing back to hackers in Russia. He also compared the spate of cyberattacks to the challenge posed by the 9/11 terrorist attacks.

Since then, the Justice Dept and other agencies have sought to give priority to ransomware gang disruptions along with bringing criminal prosecutions against hackers.

Mr. Wray said Thursday the action against Hive was one of the largest cyber operations yet for the FBI. “I’m not sure we’ve had one that’s been quite this scale, in terms of the sheer number of keys we’ve been able to get access to and the
sheer number of victims we’ve been able to help over this period of time,” he said.

According to an FBI affidavit filed this week, Hive hackers have left ransom notes with login credentials to a Hive website referred to as the “Sales Department,” through which victims were expected to negotiate a ransom payment and receive proof
that the data had been stolen. Victims who didn’t pay had their data published online. A previous search led the FBI to servers in Los Angeles and in the Netherlands, it said.

Cybersecurity researchers said that while the takedown was significant, it would hardly impact the overall ransomware epidemic.

“The disruption of the Hive service won’t cause a serious drop in overall ransomware activity but it is a blow to a dangerous group that has endangered lives by attacking the healthcare system,” said John Hultquist, head of intelligence analysis at
Mandiant, a cybersecurity firm recently acquired by Alphabet Inc. “Unfortunately, the criminal marketplace at the heart of the ransomware problem ensures a Hive competitor will be standing by to offer a similar service in their absence, but they may
think twice before allowing their ransomware to be used to target hospitals.”

Still, cyber experts said, the operations showed an evolution in the FBI’s approach, involving novel work that highlighted the benefits that the FBI was able to offer to victims. “This is without question the most significant law-enforcement action
to date to disrupt a ransomware group,” said Alex Iftimie, a former cyber prosecutor who is now with the law firm Morrison Foerster.

Kimberly Goody, another researcher with Mandiant, said Hive ransomware was the most prolific strain the company observed in its 2022 incident responses, accounting for over 15% of ransomware intrusions. While Hive targeted companies across the globe, 50%
of its victims were based in the U.S., Ms. Goody said.

https://www.wsj.com/articles/u-s-disrupts-hive-ransomware-group-seizes-its-servers-11674749213

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)