FBI ‘Hacked the Hackers’ to Bring Down Ransomware Gang

Source: Reuters | Published on January 27, 2023

Christie's ransomware

The FBI revealed on Thursday that it had secretly hacked and disrupted the Hive ransomware gang, preventing the group from collecting more than $130 million in ransomware demands from more than 300 victims.

At a press conference, US Attorney General Merrick Garland, FBI Director Christopher Wray, and Deputy US Attorney General Lisa Monaco stated that government hackers broke into Hive’s network and placed the gang under surveillance, secretly stealing the digital keys the gang used to unlock victim organizations’ data.

They were then able to notify victims ahead of time so that they could take precautions to protect their systems before Hive demanded payment.

“We hacked the hackers using legal means,” Monaco told reporters. “We flipped the script on Hive.”

On Thursday morning, Hive’s website was replaced with a flashing message that read: “The Federal Bureau of Investigation seized this site as part of coordinated law enforcement action taken against Hive Ransomware.”

The German Federal Criminal Police and the Dutch National High Tech Crime Unit also seized Hive’s servers.

“Intensive cooperation across national borders and continents, characterized by mutual trust, is the key to effectively combating serious cybercrime,” said German police commissioner Udo Vogel in a statement from Baden-Wuerttemberg police and prosecutors who assisted in the investigation.

Reuters was unable to locate Hive’s contact information right away. It is unknown where they were located geographically.

The Hive takedown differs from some of the other high-profile ransomware cases announced by the US Justice Department in recent years, such as a cyber attack on the Colonial Pipeline Co. in 2021.

The Justice Department seized $2.3 million in cryptocurrency ransom in that case after the company had already paid the hackers.

There were no seizures in this case because investigators intervened before Hive demanded payment. The gang was unaware of the undercover infiltration, which began in July 2022.

MORE THAN $100 MILLION IN RANSOM

Hive was one of the most prolific of a slew of cybercriminal organizations that extort international corporations by encrypting their data and demanding massive cryptocurrency payments in exchange.

According to the Justice Department, Hive has targeted over 1,500 victims in 80 different countries over the years, collecting more than $100 million in ransomware payments.

Although no arrests were made on Wednesday, Garland stated that the investigation was ongoing, and one department official advised reporters to “stay tuned.”
Garland stated that the FBI’s operation assisted a variety of victims, including a Texas school district.

“The bureau provided decryption keys to the school district, preventing it from paying the $5 million ransom,” he explained. Meanwhile, a Louisiana hospital was spared $3 million.

Hive was a ransomware-as-a-service (RaaS) organization, which means it outsourced aspects of its hacking spree to affiliates in exchange for a cut of the profits.
In an email, Canadian researcher Brett Callow of cybersecurity firm Emsisoft stated that it was “one of the most active groups around, if not the most active.”

For years, international law enforcement has battled the hydra-like scourge of ransomware, which has periodically crippled businesses, government agencies, and – increasingly – critical infrastructure.

In the absence of arrests, Hive’s hackers will “either set up shop under a different brand or get recruited into other RaaS groups,” according to Jim Simpson, director of threat intelligence at British firm Searchlight Cyber.

Simpson praised the move, saying that “in any case, the operation has imposed a significant cost on Hive’s activities.”