In what’s a case of hacking the hackers, the darknet infrastructure associated with the Hive ransomware-as-a-service (RaaS) operation has been seized as part of a coordinated law enforcement effort involving 13 countries.
“Law enforcement identified the decryption keys and shared them with many of the victims, helping them regain access to their data without paying the cybercriminals,” Europol said in a statement.
The U.S. Department of Justice (DoJ) said the Federal Bureau of Investigation (FBI) covertly infiltrated the Hive database servers in July 2022 and captured 336 decryption keys that were then handed over to companies compromised by the gang, effectively saving $130 million in ransom payments.
The FBI also distributed more than 1,000 additional decryption keys to previous Hive victims, the DoJ noted, stating the agency gained access to two dedicated servers and one virtual private server at a hosting provider in California that were leased using three email addresses belonging to Hive members.
Aside from the decryption keys, an examination of the data from the servers revealed information about 250 affiliates, who are parties recruited by the developers to identify and deploy the file-encrypting malware against victims in exchange for a cut of each successful ransom payment.
The U.S. Department of State, in a related announcement, said it’s offering rewards of up to $10 million for information that could help link the Hive ransomware group (or other threat actors) to foreign governments.
Hive, which sprang up in June 2021, has been a prolific cybercrime crew, launching attacks against 1,500 organizations in no less than 80 countries and netting it $100 million in illicit profits.
Targeted entities spanned a wide range of verticals, including government facilities, communications, critical manufacturing, information technology, and healthcare.
According to statistics collected by MalwareBytes, Hive claimed 11 victims in November 2022, placing it at the sixth spot behind Royal (45), LockBit (34), ALPHV (19), BianLian (16), and LV (16).
“Some Hive actors gained access to victim’s networks by using single factor logins via Remote Desktop Protocol, virtual private networks, and other remote network connection protocols,” Europol explained.
“In other cases, Hive actors bypassed multi-factor authentication and gained access by exploiting vulnerabilities. This enabled malicious cybercriminals to log in without a prompt for the user’s second authentication factor by changing the case of the username.”
The international operation consisted of authorities from Canada, France, Germany, Ireland, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden, the U.K., and the U.S.
If anything, the move is likely to cause a temporary disruption to Hive’s operations, forcing the group (tracked as Hive Spider) to establish new infrastructure should it intend to continue its criminal activity under the same moniker.
“The seizure of both the [dedicated leak site] and victim negotiation portal is a major setback to the adversary’s operations,” Adam Meyers, head of intelligence at CrowdStrike, said.
“Without access to either site, Hive Spider affiliates will have to rely on other means of communication with their victims and will have to find alternate ways to publicly post victim data.”
With the RaaS gangs constantly disbanding and regrouping in the wake of law enforcement actions, internal strife, or geopolitical reasons, the latest actions could have a short-term effect on the ecosystem and further lead the crews to harden their defenses.
The development also comes at a time when companies breached by ransomware attacks are increasingly refusing to settle, leading to record low payments in the fourth quarter of 2022. According to Coveware, only 41% of victims paid a ransom in 2022, compared with 50% in 2021, 70% in 2020, and 76% in 2019.
“The actions undertaken by U.S. agencies to disrupt the Hive ransomware group operation from within is an unprecedented step in the fight against ransomware, which has steadily remained the biggest threat facing most organizations today,” Satnam Narang, senior research engineer at Tenable, said.
“While this may signal the end of the Hive ransomware group, its members and affiliates remain a threat. If there’s anything we’ve learned after past disruptive actions against ransomware groups, it’s that other groups will rise to fill the void left behind.”
(The story has been updated after publication to include more information about the infrastructure crackdown.)