{"id":602149,"date":"2023-01-28T07:49:08","date_gmt":"2023-01-28T13:49:08","guid":{"rendered":"https:\/\/news.sellorbuyhomefast.com\/index.php\/2023\/01\/28\/hive-ransomware-gang-taken-down-after-fbi-hacks-back\/"},"modified":"2023-01-28T07:49:08","modified_gmt":"2023-01-28T13:49:08","slug":"hive-ransomware-gang-taken-down-after-fbi-hacks-back","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2023\/01\/28\/hive-ransomware-gang-taken-down-after-fbi-hacks-back\/","title":{"rendered":"Hive ransomware gang taken down after FBI hacks back"},"content":{"rendered":"<div id=\"content-header\">\n<h2>The FBI hacked into Hive\u2019s servers, stole its decryption keys and then took down its servers in a major action that has successfully disrupted a prolific and dangerous ransomware operation<\/h2>\n<\/div>\n<div id=\"content-center\">\n<ul>\n<li><i data-icon=\"1\"><\/i><\/li>\n<li><i data-icon=\"2\"><\/i><\/li>\n<\/ul>\n<div id=\"contributors-block\">\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"Alex Scroxton\">\n\t\t\t\t\t<\/p>\n<p><span>By<\/span><\/p>\n<ul>\n<li>\n\t\t\t\t\t<a href=\"https:\/\/www.techtarget.com\/contributor\/Alex-Scroxton\">Alex Scroxton,<\/a><br \/>\n\t\t\t\t\t\t<span>Security Editor<\/span>\n\t\t\t\t\t\t<\/li>\n<\/ul>\n<p>\n\tPublished: <span>27 Jan 2023 7:47<\/span>\n<\/p>\n<\/div>\n<section id=\"content-body\">\n<p>In one of the largest international cyber law enforcement actions seen to date, the Hive <a href=\"https:\/\/www.techtarget.com\/searchsecurity\/definition\/ransomware\">ransomware<\/a> cartel\u2019s infrastructure was hacked, its decryption key \u201cstolen\u201d and distributed to victims, and its servers seized, bringing an end to <a href=\"https:\/\/www.techtarget.com\/searchsecurity\/news\/252505816\/Four-emerging-ransomware-groups-take-center-stage\">an 18-month crime spree<\/a> that had stolen over $100m from around 1,500 victims including hospitals, <a href=\"https:\/\/www.techtarget.com\/searchsecurity\/news\/252528023\/Education-sector-hit-by-Hive-ransomware-in-November\">schools<\/a>, financial services organisations and critical infrastructure.<\/p>\n<p>The extent of the operation, revealed for the first time yesterday (26 January) by <a href=\"https:\/\/www.justice.gov\/opa\/video\/us-department-justice-disrupts-hive-ransomware-variant\">the US Department of Justice<\/a> (DoJ), was such that it pulled in law enforcement agencies from Canada, France, Germany, Ireland, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden, the UK and the US, with the European agencies coordinated through Europol.<\/p>\n<p>With the FBI leading the way, Hive\u2019s infrastructure was first penetrated in July 2022 and its decryption keys exfiltrated. The keys have since been handed out to 300 Hive victims under active attack, and over 1,000 previously attacked victims, saving an estimated $130m (\u00a3105.1m) in potential ransom payments. An independent researcher <a href=\"https:\/\/www.techtarget.com\/searchsecurity\/news\/252522715\/Researcher-develops-Hive-ransomware-decryption-tool\">made a Hive decryption tool available<\/a> at approximately the same time \u2013 it is not known if there is a link to the operation.<\/p>\n<p>Then, earlier this week and working with the Dutch national cyber crime unit, German federal police and local authorities in the state of Baden-W\u00fcrttemberg, the FBI was able to seize control of the servers and websites that Hive used, disrupting the gang\u2019s ability to attack and extort any more victims.<\/p>\n<p>\u201cThe Department of Justice\u2019s disruption of the Hive ransomware group should speak as clearly to victims of cyber crime as it does to perpetrators,\u201d said deputy US attorney general Lisa Monaco.<\/p>\n<p>\u201cIn a 21st century cyber stakeout, our investigative team turned the tables on Hive, swiping their decryption keys, passing them to victims, and ultimately averting more than $130m in ransomware payments. We will continue to strike back against cyber crime using any means possible and place victims at the centre of our efforts to mitigate the cyber threat.\u201d<\/p>\n<p>Paul Foster, deputy director of the UK <a href=\"https:\/\/www.nationalcrimeagency.gov.uk\/\">National Crime Agency\u2019s<\/a> (NCA\u2019s) National Cyber Crime Unit, added: \u201cHive was a service which enabled cyber criminals to steal millions from businesses across the globe, with several UK organisations suffering significant disruption and financial losses.<\/p>\n<figure data-img-fullsize=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/hive-seizure-fbi-800px.jpg\">\n <img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/hive-seizure-fbi-800px_half_column_mobile.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/hive-seizure-fbi-800px_half_column_mobile.jpg 960w,https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/hive-seizure-fbi-800px.jpg 1280w\" data-credit=\"FBI\" height=\"207\" width=\"279\" ><figcaption>\n  <i data-icon=\"z\"><\/i>Servers of the Hive strand of ransomware were taken offline on 26 January<br \/>\n <\/figcaption><\/figure>\n<p>\u201cThe combined might of international law enforcement, which includes NCA officers, is a tremendous example of action to take down illegal IT infrastructure. We continue to work closely with partners to bolster our capability to tackle this national security threat and strengthen the UK\u2019s response to cyber crime.<\/p>\n<p>\u201cI would urge any businesses that may have been a victim\u00a0 of cyber crime to come forward and report such incidents to law enforcement.\u201d<\/p>\n<section data-menu-title=\"Hospital hit by Hive was forced to turn away patients\">\n<h3><i data-icon=\"1\"><\/i>Hospital hit by Hive was forced to turn away patients<\/h3>\n<p>Despite its relative youth, the Hive ransomware cartel was firmly established as one of the more prolific and dangerous <a href=\"https:\/\/www.techtarget.com\/whatis\/definition\/ransomware-as-a-service-RaaS\">ransomware-as-a-service<\/a> (RaaS) operations, operating a subscription-based model whereby it recruited affiliates to do its dirty work while taking a 20% cut of ransom payments for itself.<\/p>\n<p>At one time the most prolific ransomware family observed by incident responders at <a href=\"https:\/\/www.mandiant.com\/\">Google Cloud\u2019s Mandiant<\/a>, accounting for 15% of intrusions to which it responded last year.<\/p>\n<p>The ransomware locker itself was under active development and was notably entirely rewritten in the Rust programming language in mid-2022, likely in an attempt to hinder analysis and throw researchers and investigators off its trail. Rust is one of a number of multiplatform languages valued by RaaS operators for their flexibility and ability to quickly and easily target\u00a0<a href=\"https:\/\/www.computerweekly.com\/news\/252524203\/Adaptive-RedAlert-Monster-ransomwares-go-cross-platform\">both Windows and Linux environments<\/a>.<\/p>\n<p>Hive was used by multiple actors, according to Mandiant, but one of the most enthusiastic Hive operators was UNC2727, also tracked as Gold Ulrick or Wizard Spider, which was previously known as the Conti ransomware operation <a href=\"https:\/\/www.computerweekly.com\/news\/252500905\/Conti-ransomware-syndicate-behind-attack-on-Irish-health-service\">that targeted the Irish Health Service Executive<\/a> in May 2021.<\/p>\n<p>The affiliates accessed their target networks using <a href=\"https:\/\/www.cisa.gov\/uscert\/ncas\/alerts\/aa22-321a\">a number of tried-and-tested methods<\/a>, often through single factor logins via the remote desktop protocol (RDP) tool, but also using virtual private networks (VPNs) and other remote network connection protocols, exploiting FortiToken vulnerabilities, and phishing emails containing malicious attachments. Hive affiliates are also known to have exploited <a href=\"https:\/\/www.computerweekly.com\/news\/252505767\/Half-of-MS-Exchange-servers-at-risk-in-ProxyShell-debacle\">the ProxyShell vulnerability chain<\/a> in Microsoft Exchange Server.<\/p>\n<p>The malware used the well-established double extortion technique which not only encrypted victims\u2019 data and rendered it inaccessible, but also stole and published the data on a dark web leak site, causing further distress and embarrassment, and acting as an additional \u201cincentive\u201d for its victims to pay up. It caused major disruption to victims\u2019 operations, in one case attacking a hospital that had to resort to analogue methods to treat existing patients, and was unable to accept new patients in the wake of its attack.<\/p>\n<p>In the UK, the NCA said that Hive affiliates had hit approximately 50 victims, including in the housing, haulage, commercial and education sectors.<\/p>\n<\/section>\n<section data-menu-title=\"Cyber crime market will prove resilient\">\n<h3><i data-icon=\"1\"><\/i>Cyber crime market will prove resilient<\/h3>\n<p>However, despite the success of the joint operation, experts tend to assess that the ransomware underground will take the disruption of Hive very much in its stride. Indeed, it is possible, even likely, that individuals associated with Hive are already firming up links with other operations \u2013 similarities have already been noted between Hive and an emerging ransomware, Play, thought to be behind <a href=\"https:\/\/www.computerweekly.com\/news\/252529566\/Arnold-Clark-cyber-attack-claimed-by-Play-ransomware-gang\">the December 2022 attack on UK car dealer Arnold Clark<\/a>.<\/p>\n<p>John Hultquist, head of Mandiant Threat Intelligence, said: \u201cThe disruption of the Hive service won\u2019t cause a serious drop in overall ransomware activity but it is a blow to a dangerous group that has endangered lives by attacking the healthcare system.<\/p>\n<p>\u201cUnfortunately, the criminal marketplace at the heart of the ransomware problem ensures a Hive competitor will be standing by to offer a similar service in their absence, but they may think twice before allowing their ransomware to be used to target hospitals.\u201d<\/p>\n<p>He continued: \u201cActions like this add friction to ransomware operations. Hive may have to regroup, retool, and even rebrand. When arrests aren\u2019t possible, we\u2019ll have to focus on tactical solutions and better defence. Until we can address the Russian safe haven and the resilient cyber crime marketplace, this will have to be our focus.\u201d<\/p>\n<\/section>\n<\/section>\n<section id=\"DigDeeperSplash\">\n<h4>\n\t\t\t<i data-icon=\"m\"><\/i>Read more on Hackers and cybercrime prevention<\/h4>\n<ul>\n<li><a id=\"DigDeeperItem-1\" href=\"https:\/\/www.techtarget.com\/searchsecurity\/news\/252529635\/FBI-hacked-into-Hive-ransomware-gang-disrupted-operations\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/legal_g1152162547_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/legal_g1152162547_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/legal_g1152162547.jpg 1280w\" alt ><\/p>\n<h5>FBI hacked into Hive ransomware gang, disrupted operations<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineImages\/culafi_alexander.jpg\" alt=\"AlexanderCulafi\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alexander\u00a0Culafi<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-2\" href=\"https:\/\/www.computerweekly.com\/news\/252528238\/Top-10-cyber-crime-stories-of-2022\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero Images\/Crime.Getty_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/Crime.Getty_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/Crime.Getty.jpg 1280w\" alt ><\/p>\n<h5>Top 10 cyber crime stories of 2022<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"AlexScroxton\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alex\u00a0Scroxton<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-3\" href=\"https:\/\/www.techtarget.com\/searchsecurity\/news\/252528023\/Education-sector-hit-by-Hive-ransomware-in-November\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/ransom_g1312363632_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/ransom_g1312363632_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/ransom_g1312363632.jpg 1280w\" alt ><\/p>\n<h5>Education sector hit by Hive ransomware in November<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/waldman_arielle.jpg\" alt=\"ArielleWaldman\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Arielle\u00a0Waldman<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-4\" href=\"https:\/\/www.computerweekly.com\/news\/252523630\/Co-opetition-a-growing-trend-among-ransomware-gangs\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/race-competitors-running-fotolia_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/race-competitors-running-fotolia_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/race-competitors-running-fotolia.jpg 1280w\" alt ><\/p>\n<h5>\u2018Coopetition\u2019 a growing trend among ransomware gangs<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"AlexScroxton\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alex\u00a0Scroxton<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<\/ul>\n<\/section>\n<\/div>\n<p><a href=\"https:\/\/www.computerweekly.com\/news\/252529648\/Hive-ransomware-gang-taken-down-after-FBI-hacks-back\" class=\"button purchase\" rel=\"nofollow noopener\" target=\"_blank\">Read More<\/a><br \/>\n Luz Mischke<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The FBI hacked into Hive\u2019s servers, stole its decryption keys and then took down its servers in a major action that has successfully disrupted a prolific and dangerous ransomware operation By Alex Scroxton, Security Editor Published: 27 Jan 2023 7:47 In one of the largest international cyber law enforcement actions seen to date, the Hive<\/p>\n","protected":false},"author":1,"featured_media":602150,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27690,31358,46],"tags":[],"class_list":{"0":"post-602149","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-hacks","8":"category-ransomware","9":"category-technology"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/602149","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=602149"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/602149\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/602150"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=602149"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=602149"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=602149"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}