Global law enforcers celebrated this week after revealing a coordinated operation to disrupt the Hive ransomware variant.
The ransomware-as-a-service (RaaS) outfit has targeted more than 1500 victims in over 80 countries since June 2021, making an estimated $100m in the process, according to the Department of Justice (DoJ). Victims included hospitals, schools, financial firms and critical infrastructure players.
However, from late July 2022, the FBI was able to gain access to the group’s computer networks, enabling it to capture decryption keys and distribute them to Hive victims globally, the DoJ said.
These 1300+ keys apparently saved victims an estimated $130m in ransom demands.
Alongside this operation, European police teamed up with the FBI to take down key infrastructure used by the group.
Thirteen countries in total participated in the operation, including the UK, Canada, France, Norway, Portugal, Romania, Spain and Sweden. However, it was German and Dutch police that seized the servers and websites used by Hive to communicate with its members and affiliates.
“The Department of Justice’s disruption of the Hive ransomware group should speak as clearly to victims of cybercrime as it does to perpetrators,” said US deputy attorney general Lisa Monaco.
“In a 21st century cyber-stakeout, our investigative team turned the tables on Hive, swiping their decryption keys, passing them to victims, and ultimately averting more than $130m in ransomware payments.”
Hüseyin Can Yuceel, security researcher at Picus Security, described Hive as one of the most prolific ransomware groups of the past five years.
“The FBI’s press release did not give any specific names. There is no attached indictment,” he added.
“Sophisticated ransomware threat actors are not easy to identify, and even if they are identified, they may not be within the agency’s reach. That’s why the FBI took the next best approach and disrupted the group’s operations.”
On that note, the State Department reiterated its promise to pay “up to $10m” for any information on the location or identity of cyber-criminals working for hostile states.
“If you have information that links Hive or any other malicious cyber actors targeting US critical infrastructure to a foreign government, send us your tip via our Tor tip line. You could be eligible for a reward,” it said via Twitter.
Mark Lamb, CEO of HighGround, warned that Hive’s members would likely reappear.
“The infrastructure is just one element of the gang’s success, and until law enforcement capture the criminals, there is a high chance they will resurface under a new identity with brand new infrastructure ready to terrorise again. Do DarkSide or BlackMatter ring any bells?” he argued.
“While the takedown and seizing of the decryption keys is brilliant and a major win for law enforcement, the threat of ransomware still looms.”