A coordinated cyber operation against Hive ransomware group—led by the FBI, German, and Dutch law enforcement—has seized its servers and website. The operation has dealt Hive group a serious blow. It’s denied the group USD 130 million in ransoms by releasing 1,300 decryption keys to victims.
Since July 2022, law enforcement agencies from 13 countries have been involved in a covert operation. This operation has now crippled Hive’s ability to communicate with associates and demand extortions. The extortion group mainly focuses on critical infrastructure organizations, including healthcare, information technology, government facilities, manufacturing, and commercial facilities.
The DOJ issued a statement on the operation saying, “in coordination with German law enforcement (the German Federal Criminal Police and Reutlingen Police Headquarters-CID Esslingen) and the Netherlands National High Tech Crime Unit, it has seized control of the servers and websites that Hive uses to communicate with its members, disrupting Hive’s ability to attack and extort victims.”
The Hive Ransomware Server Seizure
Starting in July 2022, the FBI infiltrated Hive servers and obtained 1,300 decryption keys in their operations into the group’s servers. The FBI then distributed these to companies the cybercrime gang had breached. Hive specialized in developing the ransomware that its associates deployed for holding ransom-sensitive information until the victims paid.
After examining Hive’s servers, the FBI has gained information on 250 such associates. This will help it to make arrests once the operation folds. The international stakeout coalition sniffed out the members of the gang through the email sign-ups they used for a hosting provider in California.
Key agencies and departments involved include Europol, the FBI, the DOJ, the Secret Service, the Federal Criminal Police Office (Germany), the National High-Tech Crime Unit (Netherlands), and other agencies from Canada, France, Ireland, Lithuania, Portugal, Romania, Spain, Norway, Sweden, and the UK.
In an announcement calling out cybercriminals who threatened US critical infrastructure, the US Department of State warned that it would take every step necessary to hunt them down. Moreover, the announcement declared a USD 10 million reward for any individual providing information on any such operations carried out under the blessings of a foreign government. The US has paid over USD 135 million in rewards since 1986 under the Transnational Organized Crime Rewards Program (TOCRP).
Hive Ransomware Has Caused Serious Damage Worldwide
Hive ransomware first came onto the scene in June of 2021. Since then, it has extorted 1,500 victims in 88 countries of more than USD 100 million. It develops commercially-supplied software that users buy to encrypt sensitive information and collect ransom payments from target entities.
In most cases, the ransomware exploits ProxyShell flaws in Microsoft Exchange Server to gain a foothold. Following this, threat actors take steps to terminate processes associated with antivirus engines and data backups. Explaining Hive’s tactics after the operation, Europol’s website read, “Some Hive actors gained access to victim’s networks by using single factor logins via Remote Desktop Protocol, virtual private networks, and other remote network connection protocols. In other cases, Hive actors bypassed multi-factor authentication and gained access by exploiting vulnerabilities.”
After the victims pay the ransom, it’s split 80/20 between developers and affiliates. But, if a target refuses to pay, Hive threat actors proceed to make true on their threats and upload the information to the Hive website. But this is no longer an option after the operation took it down. Hive criminals provide victims with a plain text file with decryption details and a warning not to talk to police or decryption specialists. They’re further advised not to rename files, as these will be lost forever.
Protection from Ransomware
Given how cybercrime has evolved over the years, a number of different techniques may offer effective protection against it rather than using just a few techniques in isolation. These include:
- Patching software regularly and frequently
- Upgrading from obsolete software that cybercriminals commonly target
- Arranging employee awareness training to counter email phishing attacks and social engineering
- Implementing a high-quality antivirus solution and malware-scanning toolkit
- Mandating multi-factor authentication across all services
- Regularly changing and employing strong, complex passwords
Besides these, companies must maintain secure backups for all sensitive information. This will offer a failsafe in case the commercial network ever gets breached. On the downside, this provides threat actors with another attack vector.
Additionally, companies can purchase cyber insurance to offset losses from these incidents. But cyber attacks are becoming increasingly uninsurable—coverages are shrinking while premiums keep rising. Under such circumstances, the onus rests with business owners to balance their cybersecurity budgets, considering their financial limitations.
Despite this, more and more companies are growing reluctant to pay ransomware actor’s payments for decrypting data. According to Coveware, only 41% of victims paid ransom in 2022, while 76% ended up paying it in 2019. Moreover, in Q4 of 2022, around 37% of victims paid ransom—far less than the 85% who paid it in Q1 of 2019.
Progress Made, but Hive Will Resurface
Rasomware-as-a-service groups are notorious for adapting and changing their tactics. They can identify when they feel law enforcement breathing down their necks. To throw the law off its scent, they could just as easily set up another website. Though the investigation is nearing its culmination, the authorities are yet to make any arrests. Even if these players are taken off the streets in the coming days, new groups will immediately step in to fill the void.
This, however, takes nothing away from the inter-agency collaboration that has brought about the seizure of Hive’s website and infrastructure, dealing it a major blow in the process. They’ll likely give the affiliates a chase, who’ll have to find other avenues to resume their activities.
What’s becoming clearer is that the authorities have started taking these crimes more seriously, calling on victims to abstain from playing into the criminals’ hands and contact them for decryption keys, which they can get for free.