On January 26, 2023, the United States Department of Justice (DoJ) released details about a disruption campaign against the Hive ransomware group. The disruption campaign has reportedly had access to Hive's infrastructure since July of 2022. Its access became public on Thursday when Hive's dark web began showing a notice that “this hidden site has been seized."
Hive ransomware has been around since June 2021. It is a ransomware-as-a-service (RaaS) operation which uses the threat to publish exfiltrated data as extra leverage to get the victims to pay. Hive was one of the most widely used RaaS in 2022, according to monitoring of dark web leak sites by Malwarebytes Threat Intelligence.
In August 2021, the FBI published a warning about Hive ransomware, sharing tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and mitigation advice. In February 2022, researchers discovered a way to decrypt files for all versions of Hive ransomware up to and including version four. Hive is also thought to be one of the gangs that welcomed Conti members after the Conti disbandment in April 2022.
According to the DoJ, the Hive ransomware group has targeted over 1,500 victims in over 80 countries, including hospitals, school districts, financial firms, and critical infrastructure, attempting to extort hundreds of millions of dollars from victims in the United States and around the world.
US officials credited German and Dutch authorities, and Europol for helping in the case. The German police were able to infiltrate the Hive infrastructure following an investigation of the Polizeipräsidium Reutlingen, which shows the importance of victims filing a report.
As part of the disruption the FBI has helped victims to decrypt their files for months, perhaps contributing to the dip in ransomware revenue over 2022. According to the DoJ this amassed to 336 victim interventions, preventing potentially $130 million in ransom payments.
The authorities also seized the leak site, where the group posted data exfiltrated from victims that were unwilling to pay, and the victim negotiation portal. This is a major setback and will undoubtedly cause affiliates and Initial Access Brokers (IABs) to take their business elsewhere.
Not done yet
But the hunt is far from finished. The US Rewards for Justice is offering a reward up to $10 million for information that links Hive or any other malicious cyber actors targeting US critical infrastructure to a foreign government. And in a press conference about the Hive takedown, FBI Director Christopher Wray acknowledged the FBI had infiltrated other ransomware groups.
The Europol statement about the takedown mentions some specific tactics used by Hive affiliates, which include using single factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols. In other cases, Hive actors gained access by exploiting vulnerabilities. Some Hive actors also gained initial access to victim’s networks by distributing phishing emails with malicious attachments.
Which prompts us to repeat, that you should implement measures to keep out IABs, such as employee phishing training, brute force protection, and timely vulnerability and patch management. It also reminds us of the importance of protecting your RDP.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.