An image of a seized ransomeware website is displayed at a press conference where the U.S. Attorney General Merrick Garland made an announcement on an international ransomware enforcement action at the U.S. Justice Department on January 26, 2023 in Washington, DC. The Justice Department announced that the FBI has seized the website of HIVE, a notorious ransomware gang, which has extorted more than $100 million from victim organizations.
A prominent ransomware-as-a-service (RaaS) gang was taken down when the FBI infiltrated its networks, halted its operations, and confiscated its sites. As the US Department of Justice's deputy attorney general phrased it, they "hacked the hackers."
A Strategy That Backfired on the Criminals
US Attorney General Merrick Garland, FBI Director Christopher Wray, and Deputy US Attorney General Lisa Monaco held a press conference to reveal that the government had secretly highjacked the networks of the Hive ransomware gang in July 2022. They had since been conducting a six-month surveillance operation, as reported by TechSpot.
Attempted ransom payments totaled roughly $130 million, including $5 million from a Texas school district, were prevented by the FBI. The authorities stole more than 300 decryption keys from Hive and distributed them to victims of the assault.
The government also sent over a thousand extra decryption keys to past Hive victims.
The FBI was able to inform its intended victims of planned attacks via Hive's infrastructure, allowing them time to fortify their defenses. Both the Tor payment and data leak sites used by Hive were taken down.
According to Bleeping Computer, the FBI accessed three servers at a California hosting company that were rented using Hive members' email addresses. The Dutch police accessed two separate backup servers located in the Netherlands as part of a coordinated operation.
After further investigation, law enforcement officials determined that these servers were the primary data leak site, negotiation site, and web panels for Hive and its subsidiaries.
The affidavit states that when the FBI examined the database found on Target Server 2, the FBI found records of Hive interactions, malware file hash values, and information on the gang's 250 affiliates. The agency also saw victim information consistent with what they obtained through the decryption key operation.
Germany, Canada, France, Lithuania, Netherlands, Norway, Portugal, Romania, Spain, Sweden, and the UK orchestrated the operation.
"Using lawful means, we hacked the hackers. We turned the tables on Hive," Monaco revealed to the media.
Also Read: Dutch Authorities Arrest Hacker for Attempting to Sell Austrian Citizens' Personal Information
Hive's Notorious Operations
The Hive's operation, which began in June 2021, ultimately attacked over 1,500 people in 80 different countries. Similar to other RaaS businesses, it leased out the virus to criminals in exchange for a percentage of the ransom.
While no arrests have been made, a department spokesman indicated that the situation would soon change since the gang had collected over $100 million in ransomware payments.
When compared to previous ransomware groups, Hive has never explicitly declared that it would not target healthcare facilities or emergency responders.
