WASHINGTON (AP) – The FBI and international partners have at least temporarily disrupted the network of a prolific ransomware ring they infiltrated last year, sparing victims including hospitals and school districts a potential $130 million in ransoms, Attorney General Merrick Garland and other U.S. officials announced Thursday.
“Simply put, using legal means we hacked the hackers,” Deputy Attorney General Lisa Monaco said at a news conference.
Officials said the targeted syndicate, known as Hive, is among the world’s top five ransomware networks and has heavily targeted healthcare. The FBI quietly gained access to the control panel in July and was able to obtain software keys it used with German and other partners to decrypt the networks of about 1,300 victims globally, FBI Director Christopher Wray said.
How the removal will affect Hive’s long-term operations is unclear. Officials announced no arrests, but said that to pursue prosecution, they were building a map of the administrators who run the software and affiliates who infect targets and negotiate with victims.
“I think everyone involved with Hive should be concerned because this investigation is ongoing,” Wray said.
On Wednesday night, FBI agents seized computer servers in Los Angeles used to support the network. Two Hive dark web sites were seized: one was used to leak data from non-paying victims, the other to negotiate extortion payments.
“Cybercrime is an ever-evolving threat, but as I’ve said before, the Justice Department will spare no resources to bring to justice anyone anywhere who targets the United States with a ransomware attack,” Garland said.
He said the infiltration, led by the FBI’s Tampa office, allowed agents in one case to disrupt a Hive attack against a Texas school district and stopped it from paying $5 million.
It is a major victory for the Ministry of Justice. Ransomware is the world’s biggest cybercrime headache with everything from Britain’s Post Office and Ireland’s National Health Network to Costa Rica’s government crippled by Russian-speaking syndicates enjoying Kremlin protection.
The criminals unlock, or encrypt, the victims’ networks, steal sensitive data and demand large sums. Their extortion has evolved into a place where data is stolen before ransomware is activated, and then effectively held hostage. Pay up in cryptocurrency or it will be publicly released.
As an example of a Hive sting, Garland said it kept a Midwestern hospital in 2021 from accepting new patients at the height of the COVID-19 epidemic.
The online takedown notice, alternating in English and Russian, mentions Europol and German police partners. German news agency dpa quoted prosecutors in Stuttgart as saying that cyber specialists in the southwestern city of Esslingen were crucial to penetrating Hive’s criminal IT infrastructure after a local company was victimized.
In a statement, Europol said that companies in more than 80 countries, including multinational oil companies, have been compromised by Hive and that law enforcement from 13 countries were involved in the infiltration.
A US government advisory last year said Hive ransomware actors victimized over 1,300 companies worldwide from June 2021 to November 2022, yielding payouts of around $100 million. Criminals using Hive’s ransom-as-a-service tool targeted a wide range of businesses and critical infrastructure, including government, manufacturing and especially healthcare.
Although the FBI offered decryption keys to about 1,300 victims globally, Wray said only about 20% reported potential problems to police.
“Fortunately, we were still able to identify and help many victims who did not report. But that’s not always the case, Wray said. “When victims report attacks to us, we can help them and others too.”
Victims sometimes pay ransoms without notifying the authorities – even if they have quickly restored networks – because the data stolen from them can be extremely harmful to them if leaked online. Identity theft is among the risks.
John Hultquist, the head of threat intelligence at cybersecurity firm Mandiant, said the Hive outage won’t lead to a major drop in overall ransomware activity, but is still “a blow to a dangerous group.”
“Unfortunately, the criminal marketplace at the heart of the ransomware problem ensures that a Hive competitor will be ready to offer a similar service in their absence, but they may think twice before allowing their ransomware to be used to target hospitals,” said Hultquist.
But analyst Brett Callow with cybersecurity firm Emsisoft said the operation is apt to reduce ransomware crooks’ confidence in what has been a very high-reward, low-risk business. “The information collected may point to affiliates, money launderers and others involved in the ransomware supply chain.”
Allan Liska, an analyst with Recorded Future, another cybersecurity outfit, predicted indictments, if not actual arrests, in the coming months.
There are few positive indicators in the global fight against ransomware, but here is one: An analysis of cryptocurrency transactions by the firm Chainalysis found that ransomware extortion payments were down last year. It tracked payments of at least $456.8 million, down from $765.6 million in 2021. While Chainalysis said the true totals are certainly much higher, payments were clearly down. It suggests that several victims refuse to pay.
The Biden administration took ransomware seriously at its highest level two years ago after a series of high-profile attacks threatened critical infrastructure and global industry. In May 2021, for example, hackers targeted the nation’s largest fuel pipeline, prompting its operators to briefly shut it down and pay a multimillion-dollar ransom, which the US government later largely recovered.
A global task force involving 37 nations began work this week. It is led by Australia, which has been particularly hard hit by ransomware, including a major medical insurer and telecoms firm. Conventional law enforcement measures such as arrests and prosecution have done little to frustrate the criminals. Australia’s Home Affairs Minister, Clare O’Neil, said in November that her government was cracking down, using cyber intelligence and police agents to “find these people, hunt them down and weaken them before they can attack our country.”
The FBI has gained access to decryption keys in the past. It did so in the case of a major ransomware attack in 2021 on Kaseya, a company whose software powers hundreds of websites. However, it took some heat to wait several weeks to help victims unlock affected networks.
Bajak reported from Boston. Associated Press writer Kirsten Grieshaber in Berlin contributed.