Prolific ransomware gang Hive’s online infrastructure has been seized in a law enforcement sting led by the FBI and Europol, involving law enforcement officers from 13 countries. Officers obtained encryption keys which could help victims of the group retrieve stolen data and avoid paying ransoms totalling more than $100m.
The dark web blog site for the gang has been replaced with a seizure notice. It says: “This hidden site has been seized. The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action.”
Europol confirmed the operation in a statement this afternoon, saying: “Europol supported the German, Dutch and US authorities in taking down the infrastructure of the prolific Hive ransomware. This international operation involved authorities from 13 countries in total. Law enforcement identified the decryption keys and shared them with many of the victims, helping them regain access to their data without paying the cybercriminals.”
The statement added: “Law enforcement provided the decryption key to companies which had been compromised in order to help them decrypt their data without paying the ransom. This effort has prevented the payment of more than $130m (€120m) of ransom payments.”
It has not been revealed if any arrests have been made as part of the operation.
Hive ransomware’s reign of terror
Thought to be based in Russia, Hive is responsible for numerous attacks on targets including critical national infrastructure and private sector businesses. As of November, the gang has attacked more than 1,300 organisations worldwide according to an advisory released by the US’s Cybersecurity & Infrastructure Security Agency (CISA).
The gang’s main targets are schools and healthcare institutions. Recently the cybercrime group froze the online infrastructure of six schools belonging to the Wooton Academy Trust in Bedfordshire, in August of last year. Hive demanded a ransom of £500,000, threatening to release the pilfered data of 4,500 schools should the trust refuse to co-operate. Parents of the pupils were also contacted by the ransomware gang.
In July, the cybercriminals went on a cybercrime spree, hitting seven companies including frozen food specialist Exala, IT consultancy AdaptIT and US marketing firm Authentic Brands Group. This followed an attack which saw cybercriminals using Hive hit the Indonesian gas giant PGN in April.
Is FBI sting a buzz-kill for Hive?
The FBI and Europol’s operation will be disruptive for the gang operations says Allan Liska, CSIRT at cybersecurity company Recorded Future, as vital information will be in the data seized during the operation. “There’s always valuable intelligence that’s gathered from these servers,” he says.
This information could help law enforcement agencies track down Hive affiliates who also belong to other criminal gangs. “If you can start arresting some of the affiliates, it does have a broader impact down the road, while also disrupting ransomware attacks in the short term,” Liska says.
Moreover, Liska believes this kind of co-ordinated operation from law enforcement agencies will cause other ransomware gangs to think twice before drawing attention to themselves. “I think it’s too dangerous [for ransomware gangs] right now,” he says. “Look at all the flags that are on that seizure page. All of these countries are co-operating and they’re all going after ransomware groups.”