Washington, Jan. 27 (BNA): The FBI and international partners have at least disrupted a prolific ransomware gang network they infiltrated last year, bailing out victims including hospitals and school districts from potentially up to $130 million in ransom payments, according to Attorney General Merrick Garland and other US officials made the announcement Thursday.
“Simply put, using legitimate means we hacked hackers,” Deputy Attorney General Lisa Monaco told a news conference.
Officials said the targeted gang, known as Hive, is among the five largest ransomware networks in the world and has largely targeted healthcare, according to the Associated Press.
The FBI quietly got into his control panel in July, said FBI director Christopher Wray, and managed to obtain software keys that he used with German and other partners to decrypt networks of about 1,300 victims globally.
It’s unclear how the removal will affect the Hive’s long-term operations. The officials have not announced any arrests but said, to pursue prosecutions, they were building a map of the officials who run the program and the affiliates that hit targets and negotiate with victims.
“I think anyone involved with Hive should be concerned because this investigation is ongoing,” Ray said.
On Wednesday night, FBI agents seized computer servers in Los Angeles used to support the network. Two Hive dark web websites have been hacked: one used to leak data of non-paying victims, and the other to negotiate extortion payments.
“Cybercrime is an ever-evolving threat, but as I said before, the Department of Justice will spare no resources to bring to justice anyone, anywhere who targets the United States with a ransomware attack,” Garland said.
He said the hack, which was led by the FBI’s Tampa office, allowed agents in one case to obstruct Hive’s attack against a Texas school, preventing her from paying $5 million.
It’s a huge win for the Department of Justice. Ransomware is the world’s biggest cybercrime problem involving everything from Britain’s Postal Service and Ireland’s National Health Network to a Costa Rican government hit by Russian-speaking unions that enjoy Kremlin protection.
Criminals lock or encrypt victims’ networks, steal sensitive data and demand large sums of money. Their blackmail has evolved into where data is stolen before the ransomware is activated, and then they are held effectively hostage. Pay in cryptocurrency or publicly issued currency.
As an example of the beehive sting, Garland said it blocked a Midwestern hospital in 2021 from accepting new patients at the height of the COVID-19 pandemic.
The online takedown notice, alternately in English and Russian, mentions Europol and its German law enforcement partners. The German news agency (dpa) quoted public prosecutors in Stuttgart as saying that cyber specialists in the southwestern town of Esslingen were crucial in hacking into the criminal IT infrastructure in Heif after a local company was victimized.
In a statement, Europol said companies in more than 80 countries, including multinational oil companies, had been hacked by Hive and that law enforcement from 13 countries were involved in the hack.
A US government advisory report last year said that Hive ransomware actors victimized more than 1,300 businesses worldwide from June 2021 through November 2022, making about $100 million in payments. Criminals using Hive ransomware tools as a service have targeted a wide range of businesses and critical infrastructure, including government, manufacturing, and healthcare in particular.
Although the FBI has provided decryption keys to about 1,300 victims globally, Ray said only about 20% reported potential problems to law enforcement.
“Here, fortunately, we were still able to identify and help many victims who did not report. But that is not always the case,” Ray said. “When victims report assaults to us, we can help them and help others as well.”
Victims sometimes pay ransoms quietly without notifying the authorities—even if they quickly restore networks—because data stolen from them could be extremely harmful if leaked online. Identity theft is among the risks.
John Hultquist, head of threat intelligence at cybersecurity firm Mandiant, said that disabling Hive would not cause a significant decrease in overall ransomware activity but was nonetheless a “blow to a dangerous group”.
“Unfortunately, the criminal market at the heart of the ransomware problem ensures that a Hive competitor would be on standby to provide a similar service in his absence, but they might think twice before allowing ransomware to target hospitals,” Hultquist said.
But analyst Brett Callow at cybersecurity firm Emsisoft said the process was appropriate to reduce the trust of ransomware fraudsters in what was a high-risk, low-reward business. “Collected information may refer to affiliates, affiliates and others involved in the ransomware supply chain.”
Alan Leska, an analyst at Recorded Future, another cybersecurity firm, predicts indictments, if not actual arrests, in the next few months.
There are a few positive signs in the global battle against ransomware, but here’s one of them: An analysis of cryptocurrency transactions by Chainalysis found that ransomware extortion payments fell last year.
It tracked payments of at least $456.8 million, down from $765.6 million in 2021. While Chainalysis said the real totals are certainly much higher, the payments were conspicuously low. This indicates that more victims refuse to pay.
The Biden administration got serious about ransomware at an all-time high two years ago after a series of high-profile attacks that threatened critical infrastructure and global industry.
In May 2021, for example, hackers targeted the country’s largest fuel pipeline, causing operators to briefly shut it down and pay a multimillion-dollar ransom, which was later largely recovered by the US government.
A global task force of 37 countries began its work this week. It is led by Australia, which has been particularly hard hit by ransomware, including a major medical and telecoms insurance company. Traditional law enforcement measures such as arrests and trials have done little to discourage criminals.
Australia’s home minister, Claire O’Neill, said in November that her government was committing the crime, using electronic intelligence and police agents to “find these people, hunt them down and degrade them before they can attack our country”.
The FBI has obtained access to decryption keys before. It did so in the case of a major 2021 ransomware attack on Kaseya, a company whose software powers hundreds of websites. However, it took some heat to wait several weeks to help the victims open the afflicted webs.