The FBI proudly announced last week that, in coordination with Canadian and European law enforcement units, it had thwarted over $130 million in ransomware demands by infiltrating the Hive computer network and removing the threat of ransomware from most of its victims. No arrests have been made, but the action amounts to a dismantling of this notorious entity—a major victory for law enforcement and the wider cybersecurity community.
The news comes just as CSO Online reports the budding use of ransomware as a cover for intelligence gathering and sabotage by Russia, Iran, China and North Korea, and the UK’s National Cyber Security Center warns of state-affiliated attack groups targeting key public figures and agencies, London city banks, and hospitals.
Therefore, it is important to remember that the closure of Hive is just one small victory in a much larger battle against cybercrime, which continues to be a major threat to individuals, businesses, and governments around the world.
Worker Bees Humming About
Hive has been one of the most active and sophisticated ransomware groups in operation.Active for several years, it became a byword for highly sophisticated and targeted attacks. The group is believed to have originated in Russia and has been responsible for a number of high-profile ransomware attacks on individuals, businesses, and even governments.
Gaining notoriety in mid 2021 at the height of the Covid pandemic, members prevented treatment from patients through the Ransomware-as-a-Service model. Here, developer/administrators provided their ransomware strains to affiliates, who then identified targets and deployed the malware. Hive even administered a web portal, Tor, where ransomware refusenik names were published alongside other ‘marketing’ material.
Within 3 months of their appearance, the group had attacked nearly 30 US healthcare organizations, and by December of that year, an additional 355 US companies.
Hive’s tactics included using phishing emails to gain initial access to a target’s network, followed by the deployment of malware to exfiltrate sensitive data. This was then encrypted and held for ransom in exchange for the decryption key. In some cases, the group threatened to publicly release stolen data if the ransom was not paid.
Honey in the Jar
The cost of Hive’s ransomware activities is difficult to quantify, as many victims are reluctant to publicly disclose the amount of ransom they have paid. A typical ransom amounted to about 1% of annual revenue. Affiliates were paid a percentage of the ransom consequently seized—usually about 20% of the haul. Consequently, it is estimated that Hive has been responsible for tens of millions of dollars in ransom payments and losses from stolen data and disrupted operations.
In some cases, Hive’s attacks have resulted in significant financial losses for its victims, particularly for small and medium-sized businesses that may not have the resources to quickly recover from a ransomware attack. In addition to the direct costs of ransom payments and lost productivity, the indirect costs of a ransomware attack can be significant, including damage to reputation and the cost of restoring systems and data. In the case of critical infrastructure, such as healthcare organizations, the disruption to essential services potentially puts lives at risk.
Hive Keepers Risk Sting
One of the major challenges in combating ransomware is the role that some countries, particularly Russia, play in facilitating the activities of these groups. Russia has long been known as a safe haven for cybercriminals, and many of the most prominent ransomware groups have direct links to Russia or are based there. In the case of Hive, its association with the Russia-affiliated Conti Group has proven to be a major vulnerability.
Although Russian President Vladimir Putin has repeatedly denied any involvement or support for ransomware groups—describing such accusations as baseless and politically motivated—the Russian government has not effectively addressed the problem, and circumstantial evidence amounts to an indictment.
In April 2021, President Biden issued a warning to Russian President Vladimir Putin regarding the actions of Russian-based ransomware groups such as Revil, which was causing harm to American citizens and businesses. Biden warned that the US would take action if the Russian government did not take steps to address the problem. Four days later, Russian authorities arrested one of the individuals believed to be behind the REvil ransomware group.
Unfortunately, this escapade only serves to highlight the challenges in attributing and combating cybercrime, as many ransomware groups operate across borders and are difficult to track and dismantle. Clearly, the arrest of one individual will have little impact on a group’s operations, and partners will swiftly step in to fill the gap.
Smoking out the Hive
Perhaps luckily, Hive’s centralized structure is what helped in its undoing—a warning to the crime syndicates and rogue nations behind a disconcerting percentage of cybercrime activities. Certainly, taking control of the group’s Tor portal was a powerful shot across the bow.
A major breakthrough in bringing the Hive down was a February 2022 article from Cornell University, describing a vulnerability in the group’s ransomware encryption algorithm that enabled obtaining a master key and recovering hijacked information. Then, in July 2022, the FBI’s Tampa operation managed to infiltrate Hive’s control panel and release both ransom funds and encryption keys.
Although no arrests have been made, following the group’s closure, the US State Department has offered a $10m reward for information on the identity and/or location of involved individuals, as it has already done regarding Conti, DarkSide and other North Korean and Russian agents. In fact, the State Department’s Transnational Organized Crime Rewards Program (TOCRP) has already issued over $135 million in rewards since 1986!
The recent closure of Hive by the FBI should serve as a reminder that international cooperation is crucial in the fight against ransomware. The US, Canada, France, Lithuania, Netherlands, Norway, Portugal, Romania, Spain, Sweden, and the United Kingdom were involved in taking down the Hive community—an operation tagged by Europol as ‘Operation Dawnbreaker’. But only individuals can provide the alertness that prevents cyberthugs from infiltrating our systems.
Only individuals (and their employers and families) can ensure their devices are protected with Phish-phighting apps, like novoShield.