Hacking hackers: Here’s how the FBI took down the Hive ransomware group
- The FBI has been in successful in taking down the Hive ransomware group that targeted more than 1500 victims in over 80 countries around the world.
- The FBI was able to infiltrate Hive’s network in July 2022 and provided over 300 decryption keys to Hive’s victims.
Hacking hackers is one way of taking down cybercriminals. However, being successful in infiltrating a cybercrime group can be extremely challenging. Most cybersecurity vendors have their own threat-hunting teams that work round the clock looking for new threats and update law enforcement agencies about new threats targeting victims.
Some of the most common threat intelligence teams include Claroty’s Team82, Palo Alto Networks Unit 42, Group-IB’s threat intelligence and others. Then, there are cloud-based threat intelligence platforms like IBM X-Force Exchange that allow users to consume, share and act on threat intelligence.
However, for law enforcement agencies, it’s a different scenario. Globally, most law enforcement agencies are challenged when it comes to taking down ransomware groups. While most of these agencies often exchange intelligence and work with cybersecurity companies, taking down a ransomware group is no easy task. Most times, these ransomware groups are also watching how security agencies are tracking them and are very good at covering their tracks.
Over the past few years, there have been a few success stories whereby ransomware groups or hackers have been caught and charged for their cybercrimes. Yet, for every ransomware group taken down, more appear to wreak havoc on organizations.
Despite the challenges, there has been some success in taking down ransomware groups. Last year, law enforcement agencies managed to take down the Lapsus$ ransomware group, which successfully breached Microsoft, Samsung, NVIDIA and several other large companies. A teenager from Oxford was arrested after making US$14 million from hacking. Another example was when members of the REvil ransomware gang were detained and the group was dismantled by Russia’s Federal Security Service, in January 2022.
More recently, the FBI has been in successful in taking down the Hive ransomware group that targeted more than 1500 victims in over 80 countries around the world. Their victims include hospitals, school districts, financial firms and critical infrastructure.
The Hive ransomware group uses a ransomware-as-a-service model featuring administrators, sometimes called developers, and affiliates. The affiliates identify targets and deploy readymade malicious software on a victim, often earning a percentage of each successful ransom payment. Targeting the most sensitive data in a victim’s system, affiliates and administrators split the ransom 80/20. Those who do not pay will end up having their date published on a Hive Leak Site.
According to the US Justice Department, the FBI was able to infiltrate Hive’s network in July 2022 and provided over 300 decryption keys to Hive’s victims. This was achieved by penetrating Hive’s computer networks and preventing victims from having to pay up to US$130 million in the ransom demand.
Moreover, in coordination with German law enforcement and the Netherlands National High Tech Crime Unit, they were able to seize control of the servers and websites that Hive uses to communicate with its members. This ultimately disrupts Hive’s ability to attack and extort victims.
“The coordinated disruption of Hive’s computer networks, following months of decrypting victims around the world, shows what we can accomplish by combining a relentless search for useful technical information to share with victims and investigation aimed at developing operations that hit our adversaries hard. The FBI will continue to leverage our intelligence and law enforcement tools, global presence, and partnerships to counter cybercriminals who target American businesses and organizations,” said FBI Director Christopher Wray.
Interestingly, while the takedown of the Hive ransomware group puts a dent in cybercriminal activities, Adam Meyers, Head of Intelligence at CrowdStrike, thinks the group could still be a threat.
“HIVE SPIDER is the criminal adversary responsible for the development of Hive ransomware. The adversary has been in operation since June 2021 and advertises their program via private messages and also on criminal forums. HIVE SPIDER also maintains a dedicated leak site (DLS) where affiliates correspond with victims, conduct negotiations, and publish victim data.
The seizure of both the DLS and victim negotiation portal is a major setback to the adversary’s operations. Without access to either site, HIVE SPIDER affiliates will have to rely on other means of communication with their victims and will have to find alternate ways to publicly post victim data,” commented Meyers.