Techspace - This week, the Department of Justice announced that FBI agents successfully disrupted the notorious Hive ransomware group and stopped $130 million worth of ransom campaigns that target no longer needed to consider paying.
The department now reveals that it had infiltrated the Hive group's network for months before collaborating with officials from Germany and the Netherlands to shut down Hive servers and websites this week.
The department had previously claimed that the Hive group targeted over 1,500 victims in over 80 countries worldwide.
During a press conference, Deputy Attorney General Lisa Monaco stated, "Simply put, using lawful means, we hacked the hackers."
The FBI asserts that it could steal over 300 decryption keys from Hive servers and return them to victims whose data had been locked up by the group.
In his statement, Attorney General Merrick Garland said that the FBI used those decryption keys to free a Texas school district asking for $5 million, a Louisiana hospital asking for $3 million, and an unidentified food services company that was asking for $10 million.
Monaco stated, "We turned the tables on Hive and busted their business model." The FBI ranked Hive among the top five ransomware threats. Since June 2021, the Justice Department claims that Hive's victims have paid more than $100 million in ransom.
The "ransomware-as-a-service (RaaS)" business model employed by Hive entails developing and marketing ransomware, recruiting "affiliates" to deploy it, and Hive administrators publishing stolen data on a "HiveLeaks" website if a customer refuses to pay.
The US Cybersecurity and Infrastructure Security Agency (CISA) says that the affiliates use things like email phishing, taking advantage of FortiToken authentication flaws, and using RDP to get into company VPNs. One-factor logins only protect remote desktops.
Businesses and organizations with their own Microsoft Exchange servers are the targets of the attacks, as detailed in a November CISA alert. Their affiliates' code exploits known vulnerabilities like CVE-2021-31207, which, despite being patched since 2021, frequently remain vulnerable if mitigations are not applied.
Once they get in, their strategy is to shut down any security software, delete logs, encrypt the data, and leave behind a ransom note called HOW_TO_DECRYPT.txt in encrypted directories that connect victims to a live chat panel where they can negotiate ransom demands. They do this by using the company's own network management protocols.
Since REvil, responsible for leaking MacBook schematics from an Apple supplier and the world's largest meat supplier, in 2021, the most prominent ransomware group that the federal government has eradicated is Hive.
Additionally, DarkSide was awarded a $4.4 million settlement earlier that same year for successfully breaching Colonial Pipeline's systems in an incident that resulted in skyrocketing national gas prices. CNA Financial, an insurance company, was the target of the most well-publicized ransomware attack, costing the hackers $40 million.
Taking Down Ransomware Groups
Picture: bleeping computer
Since the members of ransomware groups frequently reappear in different groups and capacities, it is difficult to eradicate them. However, the FBI and other law enforcement agencies are working to target them on multiple fronts.
"While this is a win, this is by no means the end of ransomware. From REvil, we have already seen a reemergence, and Hive will probably do the same in some way." Jordan LaRose, practice director for infrastructure security at the security consulting firm NCC Group stated that.
"However, takedowns such as these unquestionably discourage attackers and potential payees and raise awareness of the long-term effects of paying attackers."
LaRose went on to say that winning the battle against ransomware attackers relies heavily on collaboration and cooperation between various law enforcement agencies worldwide. The ability of security professionals to provide vital threat intelligence to the FBI and other organizations is also beneficial.
During its stakeout of Hive, the FBI discovered over 1,000 encryption keys linked to previous group victims. However, FBI Director Christopher Wray noted that only 20% of detected victims sought assistance from the agency.
Fearing repercussions from the hackers and industry scrutiny for failing to secure themselves, many ransomware attack victims avoid contacting the FBI.
However, the ransomware industry is using the fact that hackers are making money to keep going at it. The FBI hopes to persuade additional victims to cooperate rather than bow to demands. "Monaco stated that when a victim comes forward, it can make all the difference in obtaining decryptor keys or recovering stolen funds.
Leave a comment