Last November, two weeks after the Biden administration held the second International Counter Ransomware Summit, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) published a joint advisory cybersecurity organizations about the threat posed by the Hive ransomware gang. At the time, the FBI counted over 1,300 organizations as victims of the threat group, costing these organizations a combined $100 million in ransoms. However, what we didn’t know at the time was that the FBI had infiltrated Hive’s internal network in July 2022 and had since countered the gang’s attacks by providing decryption keys to victims. Fast forward to this week and the FBI has now seized the servers and websites that Hive used to run its criminal operation.
Like most ransomware, Hive ransomware encrypted victims’ files with decryption keys known only to the attackers. The gang then tried to blackmail victims by offering to hand over the decryption keys if the victims paid a ransom. According to the US Department of Justice (DoJ), by infiltrating Hive’s network, the FBI was able to provide over 1,300 decryption keys to Hive ransomware victims. The FBI estimates that the distribution of these keys saved victims over $130 million in ransom money.
Map of Hive ransomware activity (click to enlarge) (source: FBI)
Nevertheless, data encryption was only half of Hive’s extortion strategy. The gang carried out double blackmail by not only encrypting the victims’ files, but first exfiltrating copies of the unencrypted files and later threatening to publish them on their dedicated leak site (DLS). Unfortunately, helping victims recover their encrypted files by providing decryption keys did nothing to mitigate this other and potentially more harmful half of the ransomware threat.
Fortunately, the FBI’s efforts to thwart Hive’s cybercriminal activity did not end with it penetrating the gang’s network. With the help of numerous US and international law enforcement agencies, the FBI was able to locate and seize the servers that ran not only Hive’s DLS, but also the gang’s management and communications infrastructure. According to the affidavit filed shortly before the seizure, the servers were located in a data center in California and leased by three email addresses determined to be associated with the Hive operators.
While the FBI may have shut down and commandeered Hive’s server infrastructure and helped the gang’s victims recover their encrypted data, as far as we know, no arrests were made as part of this anti-ransomware operation. With Hive’s developers and affiliates still at large, it is not at all unlikely that these cybercriminals will return under a new name or join other ransomware gangs.
Law enforcement agencies are still trying to determine the identity and location of these threat actors, and the US government is offering up to $10 million in exchange for information about cybercriminals. Shortly after the DoJ announced the FBI’s seizure of Hive’s servers, the US State Department’s Rewards for Justice program tweeted: “If you have information linking Hive or other malicious cyber actors targeting US critical infrastructure to a foreign government, send us your tip via our Tor tip line. You may be eligible for a reward.”
![[Explained] Access keys: What are they, how do they work and can they replace passwords?](https://www.entrebastidors.info/wp-content/uploads/2022/12/passkeys-520x245.jpg "[Explained] Access keys: What are they, how do they work and can they replace passwords?")
