Hive Ransomware Seized in Global Sting

Hive ransomware was seized after a joint US-German law enforcement crackdown. This stopped $130 million in demands for payment from more than 1,500 victims around the world, according to law enforcement authorities.

‍

The FBI began infiltrating the group's website in July, capturing its decryption keys and offering them to victims in 80 countries. This included hospitals, schools, financial firms and critical infrastructure, according to the US Justice Department. The US then coordinated with law enforcement in Germany and the Netherlands.

The Justice Department will use all available resources to identify and prosecute anyone who targets the United States with a ransomware attack, Attorney General Merrick Garland said at a press conference in Washington on Thursday. He added that the department will continue to work with international partners to disrupt the criminal networks that deploy these attacks.

The seizure of the Emotet botnet won't seriously reduce overall ransomware activity, but it is a blow to a dangerous group, and could send a signal to other hackers, according to John Hultquist, vice president for intelligence analysis at Mandiant Inc.

"The criminal marketplace that fuels the ransomware problem ensures that there will always be a competitor standing by to offer a similar service," Hultquist said. "However, they may think twice before allowing their ransomware to be used to target hospitals."

He said that law enforcement actions "add friction to ransomware operations" and that "Hive may have to regroup, retool, and even rebrand." He added: "Until we can address the Russian safehaven and the resilient cybercrime marketplace, this will have to be our focus."

US officials have accused Moscow of failing to crack down on ransomware originating within the country's borders, which they say enables Russian-speaking cybercriminals to act. Moscow has denied the claim. The Hive seizure screen alternates between English and Russian.

The seizure was the result of an investigation into a cyberattack against a company last year. Cyberspecialists with the police in the southern German city of Esslingen traced the scam to the Hive network and gave their international law enforcement partners “the crucial clue,” Stuttgart prosecutors said in a statement.

An investigative team led by the FBI has infiltrated the hive network, monitoring its activity and stealing the keys, Deputy Attorney General Lisa Monaco said.

"We used legal means to hack the hackers," Monaco said.

Hive, a website that was used to distribute the Hive Ransomware, was seized by the FBI on Thursday. This action was taken as part of a coordinated law enforcement effort to shut down the ransomware operation.

The Hive group is responsible for causing disruptions around the world that have affected responses to the Covid pandemic, among other attacks. Over the course of three years, they received more than $100 million in ransom payments from 1,500 victims. In one particularly devastating attack, a hospital was forced to use analog methods to treat patients and was unable to accept new patients. The Justice Department issued a statement Thursday condemning the group's actions.

Hive would broadcast stolen information, including patient data and employee information from victims, the FBI said last year. The technique represented a kind of double-extortion tactic that intruders increasingly use to step up the pressure on their victims to pay a fee, usually in Bitcoin. By breaching organizations and demanding an extortion fee, Hive was able to put victims in a compromising position.

The Hive hacking group was first observed in June 2021, according to the United States. The group is believed to be responsible for a number of high-profile cyber attacks, including the recent attack on the US government's computer systems.

Hive has targeted a number of high-profile organizations, including the Bank of Zambia and several US healthcare providers. Last year, the Bank of Zambia refused to pay a ransom after being hit by Hive, and the group has also targeted Indonesia's state-backed oil and gas company.

Microsoft has released a security alert about the group Hive, which it says has emerged as one of the most prevalent examples of the "ransomware as a service" model. This model refers to groups of cybercriminals who lease access to their tools to separate partners, taking a cut of the proceeds after a successful digital extortion.