Yesterday, the U.S. Department of Justice (DOJ) announced the infiltration of the Hive ransomware group that has targeted more than 1,500 victims, including hospitals, school districts, financial firms and critical infrastructure, in over 80 countries. Since July 2022, the Federal Bureau of Investigation (FBI) has worked to penetrate Hive’s computer networks and capture over 300 decryption keys, offering them to victims around the world who were under attack, thwarting over $130 million in ransom demands, according to FBI Director Christopher Gray. Hive is thought to operate as one of the top-five ransomware networks and has heavily focused on healthcare facilities as targets.

According to the government, yesterday’s operation successfully disrupted a Hive ransomware attack on a Louisiana hospital, saving the victim from paying $3 million in ransom, and prevented another attack that targeted a Texas school.

In addition, the department was able to capture and distribute over 1,000 additional decryption keys to previous Hive victims. And, working with German and Dutch law enforcement, the FBI seized control of the servers and websites that Hive used to communicate with its members, disrupting Hive’s ability to attack and extort additional victims.

Hive used a Ransomware as a Service (RaaS) model featuring administrators and affiliates in which the administrators develop a ransomware strain and create an easy-to-use interface to operate it and then recruit affiliates to deploy the ransomware against victims. Affiliates identified targets and deployed the malicious software to attack victims and then earned a percentage of each ransomware payment, explain DOJ officials.

Hive actors favored a double-extortion model of attack where, before encrypting the victim's system, the affiliate would exfiltrate sensitive data. The affiliate then sought a ransom for both the decryption key needed to unlock the victim’s system and a promise not to publish the stolen data. Hive actors frequently targeted the most sensitive data in a victim’s system to increase the pressure to pay. After a victim paid, affiliates and administrators split the ransom 80/20. If victims did not pay, Hive published their data on the Hive Leak Site.

According to the DOJ, these Hive ransomware attacks have caused major disruptions in victim’s daily operations and negatively impacted responses to the COVID-19 pandemic. In one case, a hospital attacked by Hive ransomware had to resort to analog methods to treat existing patients and was unable to accept new patients immediately following the attack. Since June 2021, Hive has targeted more than 1,500 victims globally and received more than $100 million in ransom payments.

Security experts weigh in

Security experts have commended the government’s action. “In cybersecurity, there is a tendency to be on one's heels from a defensive posturing standpoint. Concentrated offensive actions such as this expansive takedown not only disrupt the criminal crew's immediate activities, but also compromise their overall operation by obtaining the encryption keys to stolen data,” explains Tim Morris, Chief Security Advisor, AMER, with Tanium. “This could lead to the recovery of data previously thought lost or inaccessible, which is a significant victory for authorities.  While it's unlikely to make all victims whole, even a partial recovery of data is promising. Obtaining the keys is one of the biggest wins in this case by far.”

Yet, experts remind organizations that the threat is ongoing and to take action to protect sensitive data from ransomware attacks. “What is a significant win for law enforcement could in reality be just a road bump for the Hive ransomware group,” explains Jan Lovmand, CTO, with BullWall. “Whenever law enforcement starts paying significant attention and effort to a particular group, they often scatter or reorganize under a different name. We have seen these seizes before, only for the gang to surface with new extortion sites and ransomware names or sometimes as several smaller groups.”

Lovmand continues: “In the past they have seen these interruptions as temporary setbacks to a very lucrative business — similar to when a drug cartel has a shipment seized. They lose some income, get disrupted, but rarely stop their criminal activity to become honest working individuals. Law enforcement in several regions have, in the past, recovered ransoms paid from other gangs or seized decryption keys, but what is different this time is how many victims the FBI has been able to help and for how long.”

Duncan Greatwood, CEO of Xage Security, says, “The year has started off with a bang with critical infrastructure attacks —  both physical and cyber — at an all-time high. Why? Critical infrastructure attacks result in widespread impacts, draw international attention and increase the success of a ransomware payout. Every second of downtime at energy, utilities, hospitals and other critical infrastructure around the world can leave communities stranded and even cost lives, forcing parties to respond quickly.”

Greatwood continues: “Today’s announcement is a win for the DOJ and I applaud their efforts but we also need to be realistic. Adversaries are smart and this win is bound to be short-lived. If we don’t shift our mindset and find ways to not only stop them, but also prevent them from getting access in the first place, we’ll continue to see these attacks succeed. Adversaries are always one step ahead and bound to already be searching for new ways to break through and impact our day-to-day lives in order to achieve their goals. It’s paramount that critical infrastructure operators embrace the latest technology and security measures to go beyond just detecting and reacting to these attacks and instead prevent them by blocking them at the source.”