By Staff Writer.
After six months of covert disruptions, the Federal Bureau of Investigation (FBI) shut down the Hive ransomware group last week, disabling their services and websites. “We hacked the hackers,” said the law enforcement agency in media statements. However, the agency made no arrests.
Detailing the operation, the Department of Justice (DOJ) confirmed that the FBI infiltrated the Hive ransomware group in July 2022. They began a disruption campaign, which included providing more than 300 decryption keys to Hive targets and, in the process, deprived the cyber-gang of approximately US$130 million in potential ransom payments.
“The FBA has labelled Hive a top five ransomware threat, both for its technical sophistication and for the harm it can inflict on victims,” said US Deputy Attorney General Lisa Monaco. “But for all the group’s technical prowess, it could not outfox our prosecutors, agents, and international law enforcement coalition.”
Hive developed the ransomware in June 2021 and sold it as a ransomware-as-a-service, providing the product to other cyber-groups, with Hive collecting 20% of the ransom. Since becoming embedded in the system in July, the FBI watched and waited while criminals targeted victims and issued ransoms.
The FBI said these slow-burn infiltrations of cyber-gangs were becoming more common. This most recent success followed the FBI’s involvement in Operation Ironside, which saw that agency and the Australian Federal Police (AFP) take over AN0M, a dedicated encrypted communications platform favoured by professional criminals. US Attorney General Merrick Garland says the FBI will continue to disrupt the rising threat of cyber-criminal enterprises.
“We hide in the network. We watch as they proceed with their attacks, we discover the keys, and we deliver the keys to the victims so that they can decrypt their systems and don’t have to pay the ransom,” he said last week about Hive. “Finally, we take down the infrastructure. We take down the servers that power Hive’s ability to go ahead. We can only do that once we’re able to locate where the servers are, and that’s what we were able to do only very recently, and we resolved the matter last night.”
Led by FBI investigators from the Tampa Division, one of the last breakthroughs was locating two back-end server computers used to store critical network data and located in Los Angeles. Once identified, the FBI obtained court orders, and the servers seized.
“The seizure of both the dedicated leak site and victim negotiation portal is a major setback to the adversary’s operations,” said Adam Meyers, head of intelligence at CrowdStrike. “Without access to either site, Hive affiliates will have to rely on other means of communication with their victims and will have to find alternate ways to publicly post victim data.”
Since shutting down the Silk Road marketplace in 2013, the FBI has steadily increased its cyber-disruption activities, including making some arrests. In mid-2021, the FBI took the DarkSide cyber gang offline and shut it down. Later that year, members of the notorious REvil gang were arrested with some money retrieved and returned to victims.
“We will not rest when it comes to Hive and its affiliates,” said Garland. “If you target victims here in the United States, we will target you.”