On January 26, 2022, the FBI, DOJ, and international law enforcement partners dropped a bombshell of an announcement: they had dismantled the infrastructure of one of the most prolific ransomware groups. Hive Ransomware has long been known as an extremely active group, responsible for many ransomware attacks, including against hospitals. But the full extent of the Hive network was unknown until DOJ unsealed the affidavit seizing the servers used by Hive. Perhaps the biggest bombshell revealed by DOJ was that for months the FBI has had access to Hive’s computer networks and was able to swipe decryption keys and pass them on to victims of ransomware attacks. Deputy Attorney General Lisa Monaco called this a “21st century cyber stakeout,” and explained that the FBI had “hacked the hackers.”
What We Learned from the Affidavit
- Hive ransomware had over 1,500 victims around the world. The list of victims includes hospitals, law firms, financial firms, and school districts.
- Hive ransomware uses the Ransomware as a Service (“Raas”) model. This is one of the most common ransomware models today and allows ransomware groups to literally practice organized crime. The central group (Hive) creates the ransomware strain and distributes it using an easy-to-use interface. Affiliates then use the ransomware software against victims, often using a double-extortion model (data exfiltration, followed by encryption), demanding a ransom after deploying the ransomware. Affiliates split the ransom payment 80/20 with the operators of the central group.
- Hive ransomware had 250 affiliates.
- The FBI was able to obtain decryption keys for 336 victims of Hive Ransomware since July 2022. According to the FBI, this saved victims around $130 million in ransom payments.
- Hive used a sophisticated network of servers, including servers hosted in the United States, to communicate with their affiliates, store victim information, communicate with victims, and communicate with other users of the darkweb (through a shaming site used to identify victims who did not pay).
Three Takeaways from the Hive Takedown
- The FBI can provide substantial assistance to victims of cyber crimes. We still hear trepidation from certain companies about calling the FBI when suffering from a cyber attack, due to both concerns regarding the confidentiality of the information and fear of becoming the target of a law enforcement investigation. Reporting ransomware attacks to the FBI or other law enforcement is typically not required (yet). But this matter demonstrates the value that the FBI can deliver, including by providing a working decryption key. The FBI also can share valuable intelligence about threat actors such as their modus operandi and likely candidates for attribution purposes where it’s murky – the type of intelligence that can help companies decide whether to engage with and, as a last resort, pay the threat actors.
- There is hope in sight. The FBI’s takedown of one ransomware group’s infrastructure is not going to magically stop ransomware attacks. There is too much money at stake. But this operation demonstrates the power of law enforcement to disrupt these operations. It will likely force the operators to take greater steps for operational security or alter their “business” setup, which could create greater burdens on the ransom groups’ workflow, slowing them down.
- The ransomware groups are well-resourced. Notwithstanding the positive elements of the takedown, the FBI’s affidavit demonstrates the sophistication and breadth of ransomware operations – 1,500 victims, 250 affiliates – these are huge numbers for just one ransomware group. Add to that the sophistication of their networks and it is clear why they are making so much money. Reports of a slower year in ransomware attacks may be attributable to the hackers focusing on the war in Ukraine, as much as it may be that the hackers were taking some time off to enjoy the hundreds of millions of dollars in extortion payments. But fall 2022 and early 2023 are demonstrating that the hackers are back at it.
To subscribe to the Data Blog, please click here.
