The US Federal Bureau of Investigation (FBI) has seized the website of the Hive ransomware gang after it penetrated the group’s computer network.
The agency said on Thursday that it penetrated the network in July, 2022, thereby capturing the decryption keys. It has since quietly given those keys to 300 victims. In addition, the FBI distributed over 1,000 additional decryption keys to previous Hive victims.
Yesterday it seized control of the Hive website, in coordination with German law enforcement (German Federal Criminal Police and Reutlingen Police Headquarters – CID Esslingen) and the Netherlands National High Tech Crime Unit.
In making the announcement, the FBI thanked several police forces in Ontario, including the RCMP and Peel Regional Police.
Related Content: Hive Bell takes responsibility for the attack
“Last night the Department of Justice dismantled an international ransomware network responsible for attempting to extort hundreds of millions of dollars from victims in the United States and around the world,” US Attorney General Merrick Garland said in a statement this morning.
“Cybercrime is an ever-evolving threat. But as I have said before, the Department of Justice will spare no resources to identify and bring to justice anyone targeting the United States with a ransomware attack. We will continue to work to prevent attacks and provide assistance to victims who have been targeted. And together with our international partners, we will continue to dismantle the criminal networks that perpetrate these attacks.”
Since June 2021, the Hive ransomware group has targeted over 1,500 victims worldwide and received over US$100 million in ransom payments.
Law enforcement is certainly having more success disrupting ransomware operations, perhaps because more resources are being allocated to their efforts, said Brett Callow, a British Columbia-based threat analyst for Emisisoft. “While individual disruptions may not have a significant impact on the overall landscape, collectively they do, with the intelligence gathered being used to target individuals and other components of the ransomware supply chain.”
Hive is one of the most active ransomware operations around – perhaps the most active – and was responsible for at least 11 incidents in 2022 involving US governments, schools and healthcare providers. The world and the COVID-19 pandemic affected responses, the FBI said. In one case, a hospital attacked by the Hive ransomware had to resort to tailored methods to treat existing patients and was unable to accept new patients shortly after the attack.
According to a background paper on the group By the US Cyber Security and Infrastructure Security Agency (CISA), hive collaborators often gain initial access to victim networks using single factor login via Windows Remote Desktop Protocol (RDP), Virtual Private Networks (VPNs) and other remote network connection protocols. Receive.
In some cases, Hive actors bypassed multi-factor authentication and exploited a known and unpatched vulnerability to gain access to Fortinet Fortios servers. CVE-2020-12812, This vulnerability would enable a malicious cyber actor to log in without prompting for the user’s second authentication factor (FortiToken) when the actor changes the case of the username.
Hive actors have also gained initial access to victim networks by distributing phishing emails with malicious attachments.
Separately, today Cyberint released a report on ransomware trends in 2022. Among the findings:
-
The US is still the world’s most targeted region with 1060 victims, a decline of around 300 victims from last year, followed by the UK, Canada and Germany.
-
While Q2 and Q3 saw major declines in ransomware activity (with 708 and 666 incidents, respectively, down from 763 in Q1), Q4 saw a slight increase to 672. Cyberint analysts described the Q4 growth as a sign of new and promising groups gaining ground in Q3 and Q4, such as Royal and BlackBasta.
-
LockBit 3.0’s rise to power and notoriety has been rapid without using Twitter for “PR” like other groups.
-
Talent-for-hire in the ransomware world is changing the game: Lockbit’s ‘bug bounty program’, which demonstrated the group’s arrogance and power, offered rewards to anyone who found vulnerabilities in its servers.
-
Royale’s rise in the last months of 2022 has seen them achieve an already higher hunt rate than Lockbit, suggesting that competition between the two can be expected in 2023.
