FBI turns tables on hackers in ransomware “cyber stakeout”

In a 21st-century cyber stakeout that turned the tables on hackers, FBI covertly infiltrated Hive network, thwarting over US$130 million in ransom demands

The United States Justice Department announced yesterday it has successfully disrupted a global ransomware group known as Hive, which has claimed over 1,500 victims in more than 80 countries. 

The group, which has targeted hospitals, school districts, financial firms, and critical infrastructure, has been under investigation by the FBI since July 2022. In a coordinated effort with German and Dutch law enforcement agencies, the FBI was able to infiltrate Hive's computer networks, capture its decryption keys, and offer them to victims worldwide. This prevented victims from having to pay the US$130 million in ransom Hive had demanded.

Since infiltrating Hive's network in July 2022, the FBI has provided over 300 decryption keys to victims who were under attack and an additional 1,000 keys to previous victims. The Justice Department also announced that it has seized control of the servers and websites used by Hive to communicate with its members, effectively disrupting the group's ability to attack and extort victims.

“The Justice Department dismantled an international ransomware network responsible for extorting and attempting to extort hundreds of millions of dollars from victims in the United States and around the world,” says Attorney General Merrick B. Garland. “Cybercrime is a constantly evolving threat. But as I have said before, the Justice Department will spare no resource to identify and bring to justice, anyone, anywhere, who targets the United States with a ransomware attack.”

Hospitals had to ditch digital in ransomware attacks

Since June 2021, the Hive ransomware group has targeted more than 1,500 victims around the world and received over US$100 million in ransom payments.  

Hive ransomware attacks have caused major disruptions in victims' daily operations around the world and affected responses to the COVID-19 pandemic. In one case, a hospital attacked by Hive ransomware had to resort to analogue methods to treat existing patients and could not accept new patients immediately following the attack.   

Hive used a ransomware-as-a-service (RaaS) model featuring administrators, sometimes called developers, and affiliates. RaaS is a subscription-based model where the developers or administrators develop a ransomware strain and create an easy-to-use interface with which to operate it, and then recruit affiliates to deploy the ransomware against victims. Affiliates identified targets and deployed this readymade malicious software to attack victims and then earned a percentage of each successful ransom payment.

Deputy Attorney General Lisa O. Monaco says: “The Department of Justice’s disruption of the Hive ransomware group should speak as clearly to victims of cybercrime as it does to perpetrators. In a 21st-century cyber stakeout, our investigative team turned the tables on Hive, swiping their decryption keys, passing them to victims, and ultimately averting more than US$130 million dollars in ransomware payments. We will continue to strike back against cybercrime using any means possible and place victims at the centre of our efforts to mitigate the cyber threat.”

The coordinated disruption of Hive’s computer networks shows what authorities can accomplish with operations that hit adversaries hard, says FBI Director Christopher Wray. “The FBI will continue to leverage our intelligence and law enforcement tools, global presence, and partnerships to counter cybercriminals who target American business and organisations."

Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division says: “Our efforts, in this case, saved victims over a hundred million dollars in ransom payments and likely more in remediation costs. This action demonstrates the Department of Justice’s commitment to protecting our communities from malicious hackers and to ensuring that victims of crime are made whole.  Moreover, we will continue our investigation and pursue the actors behind Hive until they are brought to justice.”


Featured Articles

Arctic Wolf: BEC Now Top Method of Cyber Attack on Business

A new study has revealed that Business Email Compromise attacks are now the primary method used by cybercriminals to target organisations.

BlueVoyant's Tom Moore Talks Legal Procedure Following Hack

BlueVoyant's Tom Moore explains how companies should act with legal council following a cyber attack

GDPR: Studying the World's Strictest Security Law 6 Years On

We take a look at the history, impact, and future of GDPR to see how it has effected the cyber sphere six years after its enactment

Banking Titan Baird Gives 9 Pointers for Cyber Investors

Cyber Security

OpenText's Pillr Buy Show Acquisitions Still in its Strategy

Cyber Security

Zoom Prepares for Quantum World with Post-Quantum Encryption

Cyber Security