WASHINGTON – The FBI and international partners have temporarily disrupted the network of a prolific ransomware gang they infiltrated last year, sparing victims, including hospitals and school districts, a potential ransom of $130 million, according to Attorney General Merrick Garland and other US officials announced on Thursday.
“Put simply, we hacked the hackers through lawful means,” Assistant Attorney General Lisa Monaco said at a news conference.
Officials said the target consortium, known as Hive, operates one of the five largest ransomware networks in the world and has heavily targeted hospitals and other healthcare providers. The FBI quietly gained access to its control panel in July and was able to obtain software keys to decode the network of about 1,300 victims worldwide, FBI Director Christopher Wray said. Officials credited the German police and other international partners.
However, it wasn’t immediately clear how the shutdown will impact Hive’s long-term operations. Officials didn’t announce any arrests, but said they would map out the Hive administrators who manage the software and affiliates who infect targets and negotiate with victims to continue law enforcement.
“I think everyone involved with Hive should be concerned because this investigation is ongoing,” Wray said.
On Wednesday night, FBI agents seized the computer infrastructure in Los Angeles used to support the network. Two dark Hive websites were seized: one used to reveal data of non-paying victims, the other used to negotiate extortion payments.
“Cybercrime is an ever-evolving threat, but as I said, the Department of Justice will spare no resources to bring anyone who targets a ransomware attack in the United States to justice,” Garland said.
Garland said that thanks to infiltration led by the FBI’s Tampa office in one case, agents were able to prevent a Hive attack on a Texas school district and stop him from making a $5 million payment afford to.
The operation is a major win for the Justice Department. The ransomware scourge is the world’s biggest cybercrime problem, from the UK Post Office to the Irish Health Service Government of Costa Rica crippled by Russian-speaking syndicates enjoying Kremlin protection.
The criminals block or encrypt victims’ computer networks, steal sensitive data and demand large sums of money. Blackmail schemes have evolved to steal data before the ransomware is activated and effectively held hostage. Pay in cryptocurrency or the criminals will release it publicly.
As an example of Hive’s threat, Garland said it stopped a Midwestern hospital from accepting new patients in 2021 at the height of the COVID-19 epidemic.
The online deactivation notice, alternately in English and Russian, mentions Europol and German partners in the effort. The German news agency dpa quoted the Stuttgart public prosecutor’s office as saying that cyber specialists in southwestern Esslingen were instrumental in penetrating Hive’s criminal IT infrastructure after a local company fell victim.
In a statement, Europol said companies in more than 80 countries, including oil multinationals, have been compromised by Hive. It said Europol had helped analyze cryptocurrency, malware and other analytics, and law enforcement agencies from 13 countries were involved in the effort.
A recommendation from the US government Last year, from June 2021 to November 2022, Hive ransomware actors victimized over 1,300 companies worldwide and received approximately $100 million in ransom payments. It is said that criminals using Hive’s ransomware-as-a-service tools have targeted a wide range of businesses and critical infrastructure, including governments, manufacturing companies, and particularly healthcare and public health organizations.
According to Wray, although the FBI has offered decryption keys to about 1,300 victims around the world, only about 20% have reported potential problems to law enforcement.
“Fortunately, we were able to identify and help many more victims who have not come forward. But that’s not always the case,” Wray said. “When victims report attacks to us, we can help them and others as well.”
In some cases, cybersecurity experts say, victims quietly pay ransoms without notifying authorities — and even if they were able to quickly restore their networks — because the criminals stole files that could cause them extreme harm if leaked online, such as: . B. Information that could be used for identity theft.
John Hultquist, head of threat intelligence at cybersecurity firm Mandiant, said the Hive disruption won’t cause a major drop in overall ransomware activity, but it’s still “a blow to a dangerous group.”
“Unfortunately, at the heart of the ransomware problem, the criminal marketplace has a Hive competitor standing by to offer a similar service in their absence, but they might think twice before allowing their ransomware to be used for hospitals” said Hultquist.
But Brett Callow, an analyst at cybersecurity firm Emsisoft, said the operation is likely to reduce ransomware crooks’ confidence in a very high-reward, low-risk business.
“The information gathered may point to affiliated companies, money launderers and others involved in the ransomware supply chain,” Callow said.
And analyst Allan Liska of cybersecurity firm Recorded Future said the operation shows that “law enforcement’s multi-pronged strategy of arrests, sanctions, seizures and more is working to slow ransomware attacks.” He predicted that this would lead to charges, if not arrests, over the next few months.
The ransomware threat caught the attention of the highest levels of the Biden administration two years ago after a series of high-profile attacks that threatened critical infrastructure and global industry. May 2021 for example Hackers targeted the country’s largest fuel pipelineresulting in the operators shutting it down briefly and making a multimillion-dollar ransom payment, most of which was recovered by the US government.
Federal officials have used a variety of tools to combat the problem, but traditional law enforcement measures such as arrests and prosecutions have done little to frustrate criminals.
The FBI has previously gained access to decryption keys. This happened in the case of a major ransomware attack in 2021 on Kaseya, a company whose software powers hundreds of websites. It took some Heat, however, because they waited several weeks to help victims unlock affected networks.
____
Bajak reported from Boston. The associated press author Kirsten Grieshaber in Berlin contributed to this.
Copyright 2023 The Associated Press. All rights reserved. This material may not be published, broadcast, transcribed or redistributed without permission.
