FBI brings down massive ransomware gang by “hacking the hackers”

What just happened? In what could be described as beautifully ironic, a notorious ransomware-as-a-service (RaaS) gang has been brought down after the FBI infiltrated its systems, disrupted operations, and seized its sites. Or, as the Deputy US Attorney General put it, they “hacked the hackers.”

Speaking at a news conference, US Attorney General Merrick Garland, FBI Director Christopher Wray, and Deputy U.S. Attorney General Lisa Monaco announced that the government secretly infiltrated the Hive ransomware gang’s networks in July 2022 before launching a six-month monitoring operation.

During this infiltration, the government was able to steal more than 300 decryption keys from Hive and distribute them to victims who were under attack, preventing around $130 million in ransom payments, including $5 million from a Texas school district. The feds also distributed over 1,000 additional decryption keys to previous Hive victims.

The FBI used its access to Hive’s infrastructure to warn targets about impending attacks, giving them time to bolster their systems and prepare. Hive’s Tor payment and data leak sites were also seized.

As per Bleeping Computer, the FBI gained access to two dedicated servers and one virtual private server at a hosting provider in California that were leased using email addresses belonging to Hive members. In a coordinated move, Dutch police also gained access to two dedicated backup servers hosted in the Netherlands. Law enforcement confirmed that these servers acted as the main data leak site, negotiation site, and web panels for Hive and its affiliates.

As per the affidavit: “In addition to decryption keys, when the FBI examined the database found on Target Server 2, the FBI found records of Hive communications, malware file hash values, information on Hive’s 250 affiliates, and victim information consistent with the information it had previously obtained through the decryption key operation.”

An FBI message (above) on the seized Hive Tor website notes that many countries were involved in the co-ordinated takedown, including Germany, Canada, France, Lithuania, Netherlands, Norway, Portugal, Romania, Spain, Sweden, and the United Kingdom.

“Using lawful means, we hacked the hackers,” Monaco told reporters. “We turned the tables on Hive.”

Hive, which launched in June 2021, targeted more than 1,500 victims in 80 different countries throughout its existence. As with other RaaS organizations, it rented out the malware to other criminals for a cut of the ransom.

The gang had collected more than $100 million in ransomware payments, and while no arrests have been announced, a department official suggested that would soon change. Unlike other ransomware operators, Hive never stated any intent to avoid targeting hospitals or emergency services.

Masthead credit: Sebastiaan Stam