Ransomware gang Hive busted, had grossed more than 100 million dollars. The US Department of Justice says the FBI hacked the Hive hackers

Hive gang defeated

In a press conference called for the occasion, the US Department of Justice declared that FBI agents managed to eradicate the infamous Hive gang and thus nullify its extortion campaigns worth 130 million dollars.

The Department of Defense claims to have infiltrated the Hive group's network and witnessed the group's criminal activities from within.

“Simply, we hacked the hackers using legal methods,” Deputy Attorney General Lisa Monaco said during a press briefing.

The FBI intrusion took place in July 2022, and since then, the FBI has managed to get hold of 300 file decryption keys belonging to the companies that were victims of the ransomware extortion. This has allowed businesses to get their data back without having to pay the ransom. According to the FBI, only 20% of businesses reported being victims of a ransomware attack.

The Hive group has a long track record and according to the Justice Department it was responsible for targeting more than 1.500 victims in more than 80 countries around the world.

After 6 months of observation of the criminal activity, the FBI was able to come into possession of a lot of information, including that of the location of the servers that housed the network, located in Germany and Holland. With the collaboration of local investigators, they proceeded to put the servers out of service.

According to Monaco, “we broke Hive's business model by turning the tables”. According to the FBI, Hive was one of the top five ransomware threats in the world. Since June 2021, Hive victims have paid more than $100 million in ransom money, according to the Justice Department.

The big business of RaaS

Hive's business model is ransomware-as-a-service (RaaS). Hive administrators build a strain of ransomware, design an easy-to-use interface to control it, and then enlist affiliates to whom they sell the service to spread it to victims. Affiliates, after paying an entrance fee, have a Control Panel that allows them to carry out attacks even without having great technical knowledge. The division of any profits takes place in the measure of 80% for the affiliate and 20% for Hive.

Victims affected by ransomware can communicate with Hive's extortionists via Hive's website on the Dark Web. At this point, Hive's interlocutors enter into negotiations with the victims, formulate a ransom demand (usually in Bitcoin or a 'other cryptocurrency) for 1% of the company's annual revenue and demonstrate their involvement in the attack by providing sample files or a decryptor for a small subset of encrypted files.

Hive's extortionists used a double-extortion attack strategy. The affiliate stole or exfiltrated sensitive information before encrypting the files. The affiliate then demanded payment in exchange for a promise not to disclose the stolen data and to deliver the decryption key needed to unlock the victim's system. To further incentivize payment, affiliates typically targeted the victim's system's most private information. In the case of a publicly traded company, they threatened to send the data to the SEC Security Exchange Commission.

However, when the victims refused to pay, the administrators of Hive, published the stolen data on the site "HiveLeaks".

The plague of ransomware

The US Cybersecurity and Infrastructure Security Agency (CISA) claims that affiliates use techniques such as email phishing, exploiting FortiToken authentication loopholes, and accessing corporate VPNs and remote desktops (via RDP) which are only secured with single factor authentication.

Once getting into victim's computer system, they usually start to disable any security software, encrypt data and, create encrypted directories with ransom note HOW TO DECRYPT.txt which contains link which sends victims to chat website of Hive to discuss the ransom notes.

According to the FBI, since June 2021, the Hive group has attacked more than 1.500 victims worldwide.

In May 2022, Hive launched a severe attack on Costa Rica's health service. Only a few months earlier, the President of Costa Rica had declared a national emergency, following an attack by the Russian Conti gang. The Conti gang would later disband, some say it was due to the $15 million bounty placed by the US Government. But according to other observers, the alleged "dissolution" of the Conti gang instead obeys a need for internationalization, in the general context of the Russia-Ukraine war. So Conti's hackers would not have withdrawn from the business but would have merged into smaller Raas groups, such as Hive, Avos Locker, Black Cat, and Black Byte with the aim of making them large groups with "fire" capabilities to attack large targets.

Does RaaS have a future?

Among Hive's most famous attacks are Media Markt the European consumer electronics retailer, Emily Frey the European car dealer, Memorial Healthcare System in the US, the Sando construction company in Spain. As of July 2022, Hive was among the top 5 most active ransonware gangs, operating primarily in North America and Europe, followed by South America, Asia and the Middle East.

The FBI took down the Hive network, but didn't make any arrests. What will the gang members do? According to Jim Simpson, director of threat intelligence at the British company Searchlight Cyber, the Hive hackers "soon would have established themselves under another name or would have been recruited into other RaaS gangs".

However, Simpson applauded the FBI's action, noting that "the operation has imposed a significant cost on Hive's businesses in both cases."

error: Content is protected !!