The FBI infiltrated the Hive network in July, stealing decryption codes for some 1,300 old and new attacks, as well as contributing to a sizable drop in ransomware payments in 2022.
This summer, the FBI penetrated a major ransomware group's computer network — seizing decryption keys that saved 300 victims an estimated $130 million, Attorney General Merrick Garland announced Thursday.
The Hive group had targeted more than 1,500 companies, nonprofits and other victims in 80 countries, "including hospitals, school districts, financial firms, and critical infrastructure," the Department of Justice said.
Along with the current victims, the FBI was able to provide decryption keys to 1,000 previous victims before seizing both servers and websites the group's members used to communicate, it said.
Cryptocurrencies, especially Bitcoin but increasingly the more-difficult-to track privacy coin Monero, are the standard currency of ransomware payments.
"The Department of Justice's disruption of the Hive ransomware group should speak as clearly to victims of cybercrime as it does to perpetrators," said Deputy Attorney General Lisa Monaco said of the July breakthrough. She added:
"In a 21st-century cyber stakeout, our investigative team turned the tables on Hive, swiping their decryption keys, passing them to victims, and ultimately averting more than $130 million dollars in ransomware payments. We will continue to strike back against cybercrime using any means possible and place victims at the center of our efforts to mitigate the cyber threat."
After months of helping victims decrypt their systems, the FBI partnered with Europol and Dutch and German authorities to break up the ring.
"The coordinated disruption of Hive's computer networks, following months of decrypting victims around the world, shows what we can accomplish by combining a relentless search for useful technical information to share with victims with investigation aimed at developing operations that hit our adversaries hard," said FBI Director Christopher Wray.
That gang was said to be behind the highest profile ransomware attack to date, the May 7, 2021, attack on the Colonial Pipeline, which disrupted gasoline availability along the entire Eastern Seaboard and drew a great deal of attention from the policymakers.
More Than Money
These threats go far beyond extorting money by locking away victims' data and destroying it if ransom is not paid.
Aside from infrastructure attacks like Colonial, Hive and other ransomware gangs are increasingly adding a second round of extortion, threatening to release companies' private and customer data. In the worst of cases, the consequences can be dangerous or even fatal.
Despite the COVID-19 pandemic, Hive gang members did not hesitate to target hospitals. In one case last year, the Department of Justice said:
"A hospital attacked by Hive ransomware had to resort to analog methods to treat existing patients and was unable to accept new patients immediately following the attack."
On Sept. 11, 2020, an ambulance in Düsseldorf, Germany, was transporting a woman who had suffered an aortic aneurysm to a nearby emergency room when the crew was told it was closed — due to a ransomware attack. The ambulance was rerouted to a hospital 20 miles away, delaying treatment by an hour. The victim was pronounced dead shortly after arriving, Wired reported.
A Big Impact
The Hive group was one of the most prolific ransomware groups last year, spiking to account for more than a third of all known attacks by the end of June, according to blockchain intelligence firm Chainalysis' 2022 Crypto Crime Report. But in the second half of 2022, Hive began shrinking rapidly, disappearing by the end of the year.
The FBI's breach of Hive's services and the subsequent dismantling of the network in July throws new light on that decline.
While saying its estimates were the low end, Chainalysis had put last year's total ransomware haul at $457 million, down from about $765 million the two previous years.
GIven the new information revealed by the DoJ, and the enormous size of the ransoms prevented, Chainalysis said:
"However, today's announcement indicates that this government action alone was a significant driver of the drop as well. It's also possible that other ransomware strains' infrastructure has been infiltrated by authorities in much the same way — we won't know until there's an announcement."