The FBI and international partners have at least temporarily disrupted the network of a prolific ransomware gang that infiltrated last year, saving victims, including hospitals and school districts, a potential ransom payment of $130 million. said Attorney General Merrick Garland and other US officials on Thursday.
Deputy Attorney General Lisa Monaco said at a press conference, “Simply put, we used lawful means to hack hackers.”
According to officials, the targeted syndicate known as Hive is one of the top five ransomware networks in the world, with a heavy focus on healthcare. The FBI secretly accessed his control panel in July and obtained his keys to software he used with Germany and other partners to crack the networks of about 1,300 victims worldwide, the FBI said. Christopher said his Ray Secretary.
It is unknown how the removal will affect the long-term operation of Hive. Officials said no arrests had been made, but said they were mapping administrators who control the software and affiliates that infect targets and negotiate with victims to pursue charges. rice field.
“This investigation is ongoing, so I think anyone involved with Hive should be concerned,” Ray said.
On Wednesday night, FBI agents seized a computer server in Los Angeles used to support the network. Two of his Hive Dark Websites have been seized.
“Cybercrime is an ever-evolving threat, but as I said earlier, the Department of Justice spares no resources to bring anyone who targets the United States in a ransomware attack to justice,” said Garland. said.
He said an undercover led by the FBI’s Tampa office allowed agents to thwart a Hive attack on a Texas school district and block a $5 million payment.
This is a big win for the Justice Department. Ransomware is the world’s biggest cybercrime headache, from the UK postal service and Ireland’s national health network to the government of Costa Rica neutralized by a Russian-speaking syndicate enjoying the protection of the Kremlin. There is everything.
Criminals lock (encrypt) victims’ networks, steal confidential data, and demand large sums of money. Their extortion evolved to the point where data was stolen before the ransomware was activated and they were then effectively held hostage. Paid in cryptocurrency or published.
As an example of Hive bites, Garland said one Midwestern hospital was unable to admit new patients in 2021 at the height of the COVID-19 pandemic.
The online takedown notices alternately appear in English and Russian and refer to Europol and German law enforcement partners. German news agency dpa says that Stuttgart prosecutors played a decisive role in hacking Hive’s criminal IT infrastructure after local businesses were damaged by cyber experts in the southwestern town of Esslingen. I quoted what you said.
In a statement, Europol said companies in more than 80 countries, including oil multinationals, have been infected with Hive, and law enforcement agencies in 13 countries have been compromised.
According to a US government advisory last year, Hive ransomware attackers attacked over 1,300 companies worldwide and paid out nearly $100 million between June 2021 and November 2022. . Criminals using Hive’s ransomware-as-a-service tools have targeted a wide range of enterprises and critical infrastructure, including government, manufacturing, and especially healthcare.
The FBI provided decryption keys to approximately 1,300 victims worldwide, but only about 20% reported potential problems to law enforcement.
“Fortunately, we have been able to identify and help many victims who did not report. But that is not always the case,” Ray said. “When victims report attacks to us, we can help them and others.”
Victims may quietly pay the ransom without notifying authorities, even if the network is quickly restored. Identity theft is one of his risks.
John Hultquist, head of threat intelligence at cybersecurity firm Mandiant, said that while the Hive disruption won’t significantly reduce overall ransomware activity, it’s “a blow to dangerous groups.”
“Unfortunately, the criminal marketplace at the heart of the ransomware problem ensures that Hive’s competitors stand by to offer a similar service in their absence, but as ransomware targets hospitals, We might think twice before we allow it to be used,” said Hultquist. Said.
But Brett Callow, an analyst at cybersecurity firm Emsisoft, said the operation tends to reduce ransomware scammers’ trust in highly rewarding, low-risk businesses. “The information collected may point to affiliates, launderers, and others involved in his ransomware supply chain.”
Allan Liska, an analyst at Recorded Future, another cybersecurity firm, predicts indictments, if not actual arrests, in the coming months.
There are few positive indicators in the global fight against ransomware, but here is one. An analysis of cryptocurrency trading by Chainalysis found that ransomware extortion payments declined in the last year. In 2021 he tracked payments of at least $456.8 million, up from $765.6 million. Chainalysis says the actual total is certainly much higher, but the payouts are clearly down. This suggests that more victims are refusing to pay.
The Biden administration took ransomware seriously two years ago at its highest level after a series of high-profile attacks threatened critical infrastructure and global industries. For example, in May 2021, hackers targeted the largest US fuel pipeline. This forced the operator to temporarily shut down the pipeline and pay a ransom of millions of dollars, most of which the U.S. government has since recovered.
This week, a global task force of 37 countries was launched. Australia, which has been particularly hard hit by ransomware, including major health insurers and telecommunications companies, is leading the way. Traditional law enforcement actions such as arrests and prosecutions have done little to frustrate criminals. Australia’s Home Affairs Minister, Claire O’Neill, said in November that the Australian government was using cyberintelligence and the police to “find out these people, hunt them down and undermine them before they attack our country”. Said there was
The FBI has previously obtained access to the decryption key. Kaseya, who hit a massive ransomware attack in 2021, is a company that runs hundreds of his websites on software. However, it took some heat to wait weeks before victims could unlock the affected network.
This story was reported by the Associated Press. Frank Bajak reports from Boston. Contributed by her AP writer Kirsten Grieshaber in Berlin.