Washington: The FBI and international partners have at least temporarily disrupted the network of a prolific ransomware gang they infiltrated last year, saving victims including hospitals and school districts a potential $130 million in ransom payments , Attorney General Merrick Garland and other US officials announced on Thursday.
“Simply put, we hacked hackers using legal means,” Deputy Attorney General Lisa Monaco told a news conference.
The targeted syndicate, known as Hive, is one of the world’s top five ransomware networks and has heavily targeted health care, officials said. FBI Director Christopher Wray said the FBI quietly accessed their control panels in July and was able to obtain software keys used with German and other partners to decrypt the networks of about 1,300 victims globally .
How the takedown will affect Hive’s long-term operations is unclear. Officials announced no arrests but said, in preparation for prosecution, they were mapping the administrators who manage the software and the associates who infect targets and interact with victims.
“I think anyone involved with Hive should be concerned because this investigation is ongoing,” Ray said.
On Wednesday night, FBI agents seized computer servers used to support the network in Los Angeles. Two Hive dark web sites were seized: one was used to leak data from non-paying victims, the other to negotiate extortion payments.
“Cybercrime is an ever-evolving threat, but as I’ve said before, the Department of Justice will spare no effort to bring to justice anyone who targets the United States with a ransomware attack,” Garland said.
He said the intrusion, led by the FBI’s Tampa office, allowed agents to disrupt a hive attack against a Texas school district in one instance, preventing it from paying $5 million.
This is a huge victory for the Justice Department. Ransomware is the world’s biggest cybercrime headache, with everything from Britain’s postal service and Ireland’s national health network to Costa Rica’s government crippled by Russian-speaking syndicates who enjoy Kremlin protection.
Criminals lock down or encrypt victims’ networks, steal sensitive data and demand large sums of money. Where data is stolen before the ransomware is activated, it is then effectively held hostage. Pay in cryptocurrency or be publicly issued.
As an example of hive sting, Garland said it prevented a Midwestern hospital from accepting new patients in 2021 at the height of the COVID-19 pandemic.
The online takedown notice, alternately in English and Russian, mentions Europol and German law enforcement partners. German news agency DPA quoted prosecutors in Stuttgart as saying that cyber experts in the southwestern city of Esslingen were pivotal in penetrating the hive’s criminal IT infrastructure after a local company fell victim.
In a statement, Europol said companies in more than 80 countries, including oil multinationals, have been compromised by Hive and that law enforcement from 13 countries was on the mend.
A US government advisory last year said Hive ransomware actors preyed on more than 1,300 companies worldwide from June 2021 to November 2022, netting nearly $100 million in payments. Criminals using Hive’s ransomware-as-a-service tool targeted a wide range of businesses and critical infrastructure, including government, manufacturing and especially health care.
Although the FBI offered decryption keys to about 1,300 victims globally, Ray said only 20 percent reported potential issues to law enforcement.
“Here, fortunately, we were still able to identify and help many victims who didn’t report it. But that’s not always the case,” Ray said. “When victims report an assault to us, we can help them and others.”
Victims sometimes secretly pay the ransom without notifying authorities – even if they have quickly restored the network – because the data stolen from them could be extremely damaging to them if leaked online. Identity theft is among the risks.
John Hultquist, head of threat intelligence at cybersecurity firm Mandiant, said the Hive disruption won’t lead to a big drop in overall ransomware activity, but it’s still “a blow to a dangerous group.”
“Unfortunately, the criminal marketplace at the heart of the ransomware problem ensures that a Hive competitor will stand up to offer a similar service in their absence, but they may think twice before allowing their ransomware to target hospitals. ,” Hultquist said.
But analyst Brett Calo with cybersecurity firm Emsisoft said Operation Ransomware is apt to undermine the miscreants’ confidence in what has been a very high-reward-low-risk business. “The information gathered may point to associates, launderers, and others involved in the ransomware supply chain.”
Alan Liska, an analyst with Recorded Future, another cybersecurity organization, predicted indictments if not actual arrests over the next few months.
There are some positive indicators in the global fight against ransomware, but here is one: An analysis of cryptocurrency transactions by firm Chainalysis found that ransomware extortion payments were down last year. It tracked a payout of at least $456.8 million, down from $765.6 million in 2021. While Chainalysis said the true totals were certainly much higher, the payouts were clearly lower. This suggests that more victims are refusing to pay.
The Biden administration got serious about ransomware at its highest level two years ago after a series of high-profile attacks threatened critical infrastructure and global industry. For example, in May 2021, hackers targeted the nation’s largest fuel pipeline, forcing operators to temporarily shut it down and pay a multimillion-dollar ransom, which the US government later massively recovered. but recovered.
A global task force involving 37 countries began work this week. Australia is leading the charge, which has been particularly hard hit by ransomware, including major medical insurers and telcos. Traditional law enforcement measures such as arrest and prosecution have done little to deter criminals. Australia’s interior minister, Claire O’Neill, said in November that her government would commit crimes by using cyber-intelligence and police agents to “find these people, hunt them down and debilitate them before they attack our country”. Was being.”
The FBI has previously gained access to the decryption key. This was done in the case of a major ransomware attack in 2021, whose software ran hundreds of websites. However, it took some time, waiting several weeks for victims to help unlock the compromised network.