Today, the United States Department of Justice has delivered a powerful blow to the malicious ransomware group known as Hive with the successful disruption of its operations. Since June 2021, Hive has launched cyberattacks against over 1,500 victims worldwide, many in the healthcare sector. This prompted alerts from agencies such as the U.S. Department of Health and Human Services, the Federal Bureau of Investigation, and the Cybersecurity and Infrastructure Security Agency.
Hive used a subscription-based business model called ransomware-as-a-service (RaaS) in which administrators or developers would produce a ransomware strain and offer it to affiliates. Affiliates would then use the malware to target victims, and receive a commission when these victims paid the ransom. Hive actors used a double-extortion tactic, first stealing sensitive data, then demanding money in order to decrypt the system and keep the extracted data private. They usually targeted the most delicate data to amplify pressure on the victim to pay, and the ransom was shared between affiliates and administrators at a ratio of 80/20. Those who did not comply had their stolen data published on the Hive Leak Site. Hackers affiliated with the Hive have been entering into victim networks through various insecure methods such as unprotected logins, vulnerability of FortiTokens, and mistaken downloads of malicious files. CISA recommends vigilance against such attacks in order to protect valuable data.
“Cybercriminals utilize sophisticated technologies to prey upon innocent victims worldwide,” said U.S. Attorney Roger Handberg for the Middle District of Florida. “Thanks to the exceptional investigative work and coordination by our domestic and international law enforcement partners, further extortion by HIVE has been thwarted, critical business operations can resume without interruption, and millions of dollars in ransom payments were averted.”
The US Department of Justice (DOJ) has been successful in disrupting the criminal activities of the Hive ransomware gang, since infiltrating their network in July 2022. Throughout this period, the FBI has been able to provide over 300 decryption keys to current and another 1,000 codes to previous victims, ultimately protecting more than $130 million that would’ve otherwise been paid in ransoms. Furthermore, with help from German and Dutch law enforcement, the servers and websites that Hive used to communicate with its members were seized, which has hindered the gang’s ability to attack and extort victims.
“Last night, the Justice Department dismantled an international ransomware network responsible for extorting and attempting to extort hundreds of millions of dollars from victims in the United States and around the world,” said Attorney General Merrick B. Garland. “Cybercrime is a constantly evolving threat. But as I have said before, the Justice Department will spare no resource to identify and bring to justice, anyone, anywhere, who targets the United States with a ransomware attack. We will continue to work both to prevent these attacks and to provide support to victims who have been targeted. And together with our international partners, we will continue to disrupt the criminal networks that deploy these attacks.”
Previously, the FBI, CISA, HHS, and other organizations have recommended specific steps to limit potential malicious use of system and network scanning processes and reduce the potential harm of Hive ransomware. This includes patching, verifying the adversary has no access, implementing phishing-resistant multi-factor authentication, restricting remote access, monitoring logs, disabling unnecessary ports, establishing offline backups, and running anti-virus software. Organizations impacted by a ransomware incident have also been advised to take steps to isolate, remove, and power-off systems which are infected or potentially infected. This includes cutting off network access to the infected systems and separating them from any other computers or devices on the network. Backups should also be secured offline and scanned to ensure they are free of malware