Hive Ransomware Operation Disturbed After FBI Took Over the Group’s Infrastructure

While the Hive ransomware operation attacked servers, exfiltrated information, and asked their victims to pay the ransom, the FBI was observing their activities from within. The FBI was able to penetrate Hive’s ransomware servers beginning in July 2022 and studied the group’s strategies, which helped with the victim’s recovery without making any ransom payment.

The FBI was just waiting to attack and it did when the appropriate time came. The Department of Justice (DOJ) has reported seizing the digital infrastructure of the Hive ransomware group, which includes the group’s data leak website, Tor payment website, and the infrastructure its leadership and affiliates used for communications.

The Hive ransomware gang was among the most active and hostile ransomware-as-a-service (RaaS) operations, having executed over 1,500 attacks on organizations from 80 countries in under two years. Although certain ransomware actors have agreements that tell their affiliates not to attack the healthcare industry, the Hive ransomware gang does not adopt that policy. In fact, the group has carried out a lot of attacks on hospitals and health systems, together with schools, critical infrastructure entities and financial companies. Healthcare victims consist of Lake Charles Memorial Health, Consulate Health, Tift Regional Medical Center, Johnson Memorial Health, Greenway Health, Partnership HealthPlan, Missouri Delta Medical Center, and First Choice Community Healthcare.

Since June 2021, the Hive ransomware gang has been occupied in its operations earning over $100 million in ransom payments. The group typically acquires preliminary access to systems using a variety of strategies, such as phishing, remote desktop protocol, stolen credentials, VPNs, and by taking advantage of vulnerabilities in compromised devices. After getting access to systems, the group goes laterally, locates the data of interest, extracts files, and then asks the victim to pay for the decryption keys so that the stolen data will not be exposed to the public. When victims do not want to pay, the stolen information is publicly published on its data leak website.

The seizure of the Hive group’s infrastructure happened after a months-long penetration of its infrastructure, with the help offered by Europol, the U.S. Attorney’s Office for the Central District of California, the U.S. Attorney’s Office for the Eastern District of Virginia, the U.S. Secret Service, and the law enforcement bureaus in the Netherlands and Germany. The FBI accessed one of the gang’s virtual servers and two dedicated servers hosted by a hosting provider in California. The Netherlands law enforcement helped with the seizure of two backup servers being hosted by the country’s hosting provider. The servers were hosting the gang’s main data leak website, negotiation webpage, and the Internet interfaces utilized by the gang’s members and affiliates.

The FBI acquired data about organized attacks and got in touch with victims to alert them. Therefore, in the last 6 months, the FBI was able to prevent the payment of around $130 million in ransom. The FBI has acquired the decryption keys for around 300 attacked victims and has sent out about 1,000 decryption keys to prior victims. The FBI additionally acquired recorded communications,  malware file hash values and details about the 250 affiliates that were carrying out attacks for the group, together with a record of previous victims. The websites employed by the group currently show a notice switching between the English and Russian languages stating that the websites were taken over.

Deputy Attorney General Lisa O. Monaco states that the Department of Justice’s take down of the Hive ransomware group’s operations sends a clear message to both cybercrime victims and culprits. Thanks to its 21st century cyber surveillance, the investigative team flipped the tables on Hive, taking their decryption keys, giving them to victims, and eventually preventing ransomware payments valued over $130 million dollars. The department will keep on hitting against cybercrime by any means possible and make victims the focus of its efforts to offset the cyber danger.

The Hive gang speaks Russian and is thought to be outside America. Russia and the United States have no extradition treaty, and Russia has formerly been hesitant to do something against ransomware groups working inside its region. The details acquired about group members and affiliates will probably result in indictments, though it may turn out challenging to bring those people to court. Although the operation has brought about considerable interruption to the Hive campaign, the group has enough resources and has received substantial amounts in ransom payments therefore it is likely to rebuild the infrastructure and start operations again using another name. Having said that, this is a big accomplishment and has averted a lot of detrimental attacks on the healthcare industry.

The takedown of the Hive service will not bring about a serious dent in total ransomware activity however it is a setback to a threatening group that has harmed many lives by targeting the healthcare industry. Sadly, the criminal marketplace in the middle of the ransomware dilemma makes sure a Hive rival will be ready to provide an identical service, nevertheless, they may think again before permitting the use of their ransomware to attack hospitals. According to John Hultquist, Head of Mandiant Threat Intelligence, activities like this put friction to ransomware campaigns. Hive might need to regroup, retool, and rebrand. When the group can’t be arrested, the focus must be on tactical solutions and more security. Unless the Russian safe haven and the resistant cybercrime marketplace are resolved, this is going to be the focus.