FBI secretly penetrated Hive ransomware gang’s network, Hive dark web site seized

The Federal Bureau of Investigation (FBI) seized the computer infrastructure used by a notorious ransomware ring called Hive, and the dark web site it used to post information about its victims with evidence of the intrusion has been shown as a gif banner image of the FBI's setup, US officials announced Thursday.

The infamous Hive ransomware ring

Since June 2021, the Hive ransomware ring has extorted hundreds of millions of dollars from more than 1,500 victims in hospitals, schools, financial firms, and critical infrastructure in more than 80 countries/regions around the world. The FBI lists Hive as one of the top 5 ransomware threats - both for its technical sophistication and because of the harm it could cause to victims.

Hive ransomware attacks have caused significant disruptions to the daily operations of victimized businesses around the world and have impacted the response to the COVID-19 New Crown outbreak. In one case, a hospital attacked by the Hive ransomware had to use traditional simulation methods to treat existing patients and was unable to accept new patients immediately after the attack.

The Hive ransomware ring uses a ransomware-as-a-service (RaaS) model, which involves an administrator (sometimes called a developer) and a branch office. RaaS is a subscription-based model in which a developer or administrator develops ransomware and creates an easy-to-use interface to operate it, then recruits a branch office to deploy the ransomware on victims. Branches identify targets and deploy this off-the-shelf malware to attack victims, then earn a percentage of each successful ransom payment. After the victim pays, the branch and administrator split the ransom money 80-20, i.e. the branch earns 80% and the administrator gets 20%.

The Hive ransomware ring's affiliates used a dual ransom attack model. First, they infiltrated the victim's system and the branch would pass out or steal sensitive data before encrypting the victim's system. Next, the branch deploys malware that encrypts the victim's system, rendering it unusable. Finally, the group seeks a ransom payment from the victim to obtain the decryption keys needed to decrypt the victim's system and promises not to publish the stolen data. the Hive ransomware group often targets the most sensitive data on the victim's system to increase the pressure to pay, and Hive publishes the data of victims who do not pay through its Hive Leaks website, which is deployed on the dark web.

Hive affiliates target critical infrastructure and some of the most important industries in the United States.

In one case in August 2021, Hive affiliates deployed ransomware on computers owned by a hospital in the Midwest. The Hive ransomware attack prevented this hospital from accepting any new patients when the COVID-19 New Crown outbreak spiked in communities around the world. The hospital was also forced to rely on paper copies of patient information. It was only able to recover its data after a ransom was paid.

The Hive ransomware gang's latest victim in the Central District of California was attacked around December 30 last year. Its latest victim in the Central District of Florida was attacked about 15 days ago. In its first year of operation, Hive has extorted more than $100 million in ransom money from victims, many of whom were in the healthcare industry.

Feds infiltrate Hive ransomware ring's network

Last summer, FBI agents from the Tampa Division, supported by the Criminal Division's Computer Crime and Intellectual Property Section and the Attorney for the Middle District of Florida, infiltrated the Hive ransomware ring's network and began disrupting Hive's attempts to extort victims.

For example, the FBI disrupted a Hive ransomware attack against a Texas school district's computer system. The agency provided the school district with decryption keys that saved it from paying a $5 million ransom.

That same month, the FBI stopped a Hive ransomware attack on a Louisiana hospital, saving the victim from paying a $3 million ransom.

The FBI also successfully stopped an attack on a food service company. The agency provided the company with decryption keys and saved the victim from paying a $10 million ransom.

Since July last year, the FBI has provided assistance to more than 300 victims worldwide, helping to prevent approximately $130 million in ransom payments.

FBI Director Christopher Wray said at a press conference that since July, FBI officials have fought back against the so-called Hive ransomware group's computer network, had their top access, stole their decryption keys, and passed them on to victims, ultimately avoiding a ransom payment of more than $130 million. the FBI will continue to use any means possible to fight back against cybercrime.

Since infiltrating Hive's network in July 2022, the FBI has provided more than 300 decryption keys to Hive victims who have been attacked. In addition, the FBI has distributed more than 1,000 additional decryption keys to former Hive victims. Finally, the department announced today that in coordination with German law enforcement (German Federal Criminal Police and Reutlingen Police Headquarters - CID Esslingen) and the Dutch National High-Tech Crime Unit, it has taken control of the servers and websites used by Hive to communicate with its members, disrupting Hive's ability to attack and extort victims.

Hive ransomware ring's dark web site seized

The Hive ransomware ring used a dark web site to distribute victim information and evidence of the intrusion, which had the following dark web domain name: http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion.

Two Los Angeles-based back-end servers that hosted Hive's dark web site and stored critical information about its network were located and seized by the FBI, which also obtained court authorization to seize control of Hive's dark web site and render its services unavailable.

Currently, a visit to Hive's dark web site brings up a large gif bouncing with the following message displayed in Russian and English respectively.

The FBI seized the site as part of a coordinated law enforcement operation by the FBI, Secret Service, and many European government agencies against Hive Ransomware.

US Deputy Attorney General Lisa O. Monaco told reporters, "Simply put, we attacked the hackers using legal means."

The US is stepping up its fight against ransomware gangs

Thursday's announcement is the latest in a series of Justice Department crackdowns on overseas ransomware rings that have targeted the computers of U.S. companies, disrupting their operations and demanding millions of dollars to unlock their systems. Justice officials have confiscated millions of dollars in ransomware payments and urged companies not to pay the criminals.

The ransomware epidemic became even more urgent for US officials in May 2021 when Colonial Pipeline, a major pipeline operator delivering fuel to the East Coast, shut down for several days due to a ransomware attack by suspected Russian cybercriminals. The disruption led to long lines at gas stations in several states as people stocked up on fuel.

While the ransomware economy remains lucrative, there are signs that a tough crackdown by US and international law enforcement is crippling hackers' revenues. According to cryptocurrency tracking firm Chainalysis, ransomware revenue fell to about $457 million in 2022, down from $766 million in 2021.

Cybersecurity professionals have welcomed the breach of Hive, but some fear that another group will soon fill the void left by Hive.

John Hultquist, vice president of Google-owned cybersecurity firm Mandiant, told CNN, "The disruption of Hive's services won't result in a serious drop in overall ransomware activity, but it is a blow to a dangerous organization that has put lives at risk by attacking healthcare systems."

Hultquist said, "Unfortunately, the criminal market at the heart of the ransomware problem ensures that Hive's competitors will be ready to provide a similar service in their absence, but they may think twice before allowing their ransomware to be used to attack hospitals."

FBI Director Christopher Wray said the FBI would continue to track down the people behind the Hive ransomware and try to arrest them. It is unclear where these individuals are located. The Department of Health and Human Services has described Hive as a "potentially Russian-speaking" group.

The FBI's investigation and the technical approach to the Hive cyberattack

In July 2022, the FBI first gained access to the Hive database under a federal search warrant and was able to identify all the victims and obtain the corresponding decryption keys, which the FBI distributed to victims around the world, who confirmed that they had been infected with the Hive ransomware and that they were able to use these decryption keys to unlock their files.

On 11 January 2023, US investigators obtained images of two servers and a VPS located in Los Angeles, California. At the same time, the Dutch police also obtained a synchronized backup image of two Dutch servers. The servers all contained copies of code data from Hive's three dark web sites and data from the leaked sites.

In addition, according to the US Cybersecurity and Infrastructure Security Agency (CISA), affiliates of the Hive ransomware ring gained initial access to the victim's network through a variety of methods, including single-factor logins via Remote Desktop Protocol (RDP), Virtual Private Network (VPN) and other remote network connection protocols; exploiting the FortiToken vulnerability; and sending phishing emails with malicious attachments to phishing emails.