Law enforcement operation seizes infrastructure belonging to Hive ransomware group

SECURITY

A joint operation between law enforcement agencies in North America and Europe has resulted in the infrastructure of the Hive ransomware group getting taken offline.

The takedown, led by the U.S. Federal Bureau of Investigation, was announced today. It involved what officials called a “21st-century cyber stakeout,” with agents first infiltrating the group and its networks in late July. Since then, the FBI has provided more than 300 decryption keys to Hive victims who were under attack and also distributed 1,000 keys to previous Hive victims.

The raids on the group took place on Jan. 25 as the German Federal Criminal Police and the Netherlands National High Tech Crime Unit seized control of servers and websites used by Hive to communicate with its members. Doing so resulted in what the Department of Justice claims is a disruption of Hive’s ability to attack and extort victims.

“The coordinated disruption of Hive’s computer networks, following months of decrypting victims around the world, shows what we can accomplish by combining a relentless search for useful technical information to share with victims with investigation aimed at developing operations that hit our adversaries hard,” FBI Director Christopher Wray said in a statement.

Hive first emerged in 2021 and operates on a ransomware-as-a-service basis. RaaS ransomware purveyors provide the code and customer service to affiliates who undertake the attacks themselves.

The activities of the group were detailed in a report from the FBI in November, which claimed that the gang had successfully extorted more than 1,300 businesses for more than $100 million in payments since June 2021. Hive targets have included government facilities, communications, critical manufacturing, information technology, healthcare and public health.

Although the response to Hive allegedly being taken down has been met positively, so-called “takedowns” of prominent ransomware gangs are often short-lived. That there were seemingly no arrests during the raids on Hive means that those behind the group are still in the wild, and establishing new servers and sites is not a challenging task for hackers who successfully infiltrate Fortune 500 companies.

“True dismantlement comes only when law enforcement can ‘put hands on’ or arrest the individuals responsible,” Austin Berglas, global head of Professional Services at supply chain defense company BlueVoyant LLC, told SiliconANGLE. “However, identifying the actual human beings behind the keyboard is a very difficult task.”

There may be a temporary decline in ransomware activity in the wake of the website seizure as groups scramble to harden defenses and tighten their inner circles, he added, but that won’t make a noticeable impact on global ransomware attacks. “History has shown that ransomware gangs that disband either due to law enforcement actions, internal strife, or geo-political reasons will sometimes regroup under a different name,” he said.

Others were more positive. Eric O’Neill, national security strategist at cloud computing company VMware Inc., said that the disruption of the group “demonstrates that the FBI has increased its ability to investigate and track threat actors across the dark web,” the shady corner of the internet accessible with special software.

Kev Breen, director of cyber threat research at cybersecurity training company Immersive Labs Ltd., warned that although disrupting Hive was “no doubt a victory,” the “war is far from over.”

“While this action will have a short-term effect on the proliferation of ransomware, Hive operates under a RaaS model, meaning they use affiliates that are responsible for gaining the initial foothold and then dropping the ransomware payload,” Breen added. “With the proverbial head of this snake cut off, those affiliates will turn to other ransomware operators and pick up where they left off.”

Photo: Levi Asay/Wikimedia Commons