The FBI managed to infiltrate a network of cybercriminals specializing in ransomware for months. By secretly recovering decryption keys to share with victims, the agency was able to thwart over $130 million in ransom demands.
The FBI has just announced the seizure of the servers of an international group specializing in ransomware. Hive, which is one of the most active groups, has targeted hospitals, schools, businesses and critical infrastructure in more than 80 countries. Its members use malware to encrypt their victims’ systems, rendering them unusable, and demand payment of a ransom in exchange for the decryption key.
In a statement, the United States Department of Justice indicates that the FBI has secretly infiltrated Hive’s systems since July 2022. The authorities were thus able to secretly recover the decryption keys to help more than 300 victims targeted since this date. , and provide them to more than 1,000 victims who had previously suffered attacks. In total, they estimate that they have foiled more than $130 million in ransom demands.
Ransomware as a Service
This Thursday, January 26, the agency announced that it had succeeded in dismantling the group’s systems, thanks to collaboration with the German, Dutch and Europol authorities. ” In the context of 21st century cyber surveillancee century, our team of investigators got the better of Hive, seizing its decryption keys, passing them on to victims, and ultimately avoiding the payment of over $130 million in ransoms said Assistant Attorney General Lisa O. Monaco. While it hasn’t announced any arrests, the agency has seized the servers and websites the members used to communicate, which should hold them back for some time.
The group, whose name means ” hive ”, works in the form of a hierarchy, with a model of ransomware as a service (RaaS, or Ransomware as a Service). “Administrators” are in charge of developing ransomware, while the infection of victims’ systems is the work of their “affiliates”. All means are good, such as the use of the Remote Desktop Protocol (RDP) or VPN if two-factor authentication is not activated, flaws in the FortiToken double authentication system or in Microsoft Exchange servers, or even the good old method of phishing by e-mail with a coin pox attached.
Customer service on the dark web
Affiliates carry out a double attack. First, they download confidential information from the target organization’s systems. Then they encrypt the system, demand a ransom to release the decryption key, and threaten to release the stolen data without payment.
The malware stops the antivirus, clears system logs and performs hard drive encryption. It works on Windows, but there are also variants for Linux, VMware ESXi and FreeBSD. Very often, it then displays a link on the dark web in .onion, accessible with the Tor browser, which leads to a chat with the “ service commercial to discuss the ransom payment. However, some victims were contacted by e-mail or telephone. If the victim sends the requested money, the affiliates pay 20% to the administrators.
US authorities said Hive has targeted more than 1,500 victims since it emerged in June 2021, and received more than $100 million in ransoms. It remains to be seen how long it will take the group to set up new servers following the seizure and resume service…
