Industry Reactions to Hive Ransomware Takedown: Feedback Friday


Authorities in the United States and Europe have announced the results of a major law enforcement operation targeting the Hive ransomware. 

Agencies from around the world worked together to take down Hive’s leak website and servers. In addition, agents hacked into Hive systems in July 2022, allowing them to identify targets and obtain decryption keys that allowed victims to recover encrypted files without paying a ransom.

Authorities continue to investigate Hive in an effort to identify the cybercriminals involved in the operation, including developers, administrators and affiliates. The US announced that it’s offering rewards of up to $10 million for information on these and other hackers. 

Several industry professionals have commented on various aspects of the Hive takedown, many noting that while Hive may have fallen, the threat actors behind the operation will likely continue their malicious activities. 

And the feedback begins…

Kimberly Goody, Senior Manager, Mandiant Intelligence, Google Cloud:

“We’ve seen multiple actors using Hive ransomware since it emerged, but the most prolific actor over the past year, based on our visibility, was UNC2727. Their operations are notable because they have commonly impacted the healthcare sector. Hive also hasn’t been the only ransomware in their toolkit; in the past we’ve seen them employ Conti and MountLocker among others. This shows that some actors already have relationships within the broad ecosystem that could enable them to easily shift to using another brand as part of their operations.”

Crane Hassold, former FBI cyber psychological operations analyst, Head of Research, Abnormal Security:

“Unlike some other cyber threats, like business email compromise (BEC), the ransomware landscape is very centralized, meaning a relatively small number of groups are responsible for a majority of all the attacks. The silver lining to this top-heavy ecosystem is that disruptive actions against one of these primary groups, such as law enforcement takedowns, can have a significant impact on the overall landscape. Since Hive has been one of the biggest players in the ransomware space over the past year, I would expect this takedown to have a noticeable impact on ransomware volume, at least in the short-term.

Because of the increased pressure from global law enforcement and the likely regulatory controls of cryptocurrency, one of the biggest drivers of today’s ransomware landscape, it’s very possible that we’ll start to see ransomware actors pivot to other types of cyber attacks, like BEC. BEC is the most financially-impactful cyber threat today and, instead of using their initial access malware to gain a foothold on a company’s network, they could simply reconfigure the malware to establish access to employee mailboxes, which could lead to more scaled and sophisticated vendor email compromise attacks.”

Satnam Narang, Senior Research Engineer, Tenable:

“The actions undertaken by U.S. agencies to disrupt the Hive ransomware group operation from within is an unprecedented step in the fight against ransomware, which has steadily remained the biggest threat facing most organizations today. While this may signal the end of the Hive ransomware group, its members and affiliates remain a threat. If there’s anything we’ve learned after past disruptive actions against ransomware groups, it’s that other groups will rise to fill the void left behind. Affiliates, which are typically responsible for conducting most of these attacks, can easily pivot to other affiliate programs of groups that remain operational and ransomware group members can also take their knowledge to these groups. One of the key ways ransomware groups gain attention and notoriety is by publishing their successful attacks on data leak sites on the dark web. It wouldn’t surprise me if ransomware groups see the threat posed by maintaining these sites and stop publicly listing these attacks in an attempt to stay under the radar.”

Kurt Baumgartner, Principal Researcher, Kaspersky:

“The frequency of ransomware attacks have been up, while victim payments have reportedly gone down. This is a great trend, and this coordinated effort is what we need to see more of from law enforcement around the world. Some of this effort in letting the activity progress may seem somewhat controversial, but generating decryption keys for victims over time helps to exhaust the group’s resources. 

Yes, in all likelihood, another gang is going to fill the void. It takes time and effort, but the incentives are in the hundreds of millions of dollars.

It’s somewhat surprising that the group housed their server resources in-country in Los Angeles. Apparently they thought everything was secured and hidden by the Tor network. Law enforcement put on display some impressive capabilities in infiltrating, seizing, and disrupting some of the gang’s resources. The actors behind this group have shown a reckless disregard for human life in their efforts to victimize schools and hospitals.”

Austin Berglas, Global Head of Professional Services, BlueVoyant:

“True dismantlement comes only when law enforcement can “put hands on” or arrest the individuals responsible. However, identifying the actual human beings behind the keyboard is a very difficult task.  Many of these cyber criminals are adept at anonymizing their online communications, locations, and infrastructure – often operating in global locations where international law enforcement cooperation is non-existent and utilizing bullet-proof hosting providers, which are unresponsive to legal process. 

There may be a temporary decline in ransomware activity in the wake of the website seizure as groups scramble to harden defenses and tighten their inner circles, but this will not make an overall, noticeable impact on global ransomware attacks. History has shown that ransomware gangs that disband either due to law enforcement actions, internal strife, or geo-political reasons will sometimes regroup under a different name. Conti, one of the most active ransomware gangs in recent history, shuttered operations soon after one of their members leaked internal Conti communications. Former members of the group are suspected of spinning off into newer groups such as BlackBasta and BlackByte.”

Jan Lovmand, CTO, BullWall:

“What is a significant win for law enforcement, could in reality be a road bump for the Hive Ransomware group. Whenever law enforcement starts paying too significant attention and effort to a particular group, they often scatter or reorganize under a different name. We have seen these seizes before only for the gang to surface with new extortion sites and ransomware names, or sometimes as several smaller groups. In the past they have seen these interruptions as temporary setbacks to a very lucrative business – similar to when a drug cartel has a shipment seized. They lose some income, get disrupted but rarely stop their criminal activity to become honest working individuals. Law enforcement in several regions have in the past recovered ransoms paid from other gangs or seized decryption keys, but what is different this time is how many victims the FBI have been able to help and for how long.”

Eric O’Neill, National Security Strategist, VMware:

“The disruption of the notorious Hive ransomware group demonstrates that the FBI has increased its ability to investigate and track threat actors across the Dark Web. This supports the commendable work the FBI’s IC3 is doing to track cybercrime attacks and coordinate efforts to repatriate stolen funds from cybercriminals, further reinforcing the importance of notifying the IC3 when a ransomware attack occurs.

It’s also worth noting how large the Dark Web has grown and how well-resourced new cyber crime syndicates, such as Hive, have become. The Dark Web is currently the third largest economy on Earth measured by GDP, which is larger than Japan or Germany. By 2025, this will grow larger than both countries combined. The FBI’s work to shut down Hive servers and repatriate encryption keys is a great step in the right direction, but it is only a step along a distant marathon to stop Dark Web-resourced cyber crime.”

Julia O’Toole, CEO, MyCena Security Solutions:

“When CISOs are reading the news about Hive’s takedown, it would be wise for them to also focus on the data being revealed about the gang’s victims and the financial losses they inflicted. The alarming numbers may be about Hive, but other ransomware gangs that have even more victims under their belt are still in operation and still pose a very real and credible threat today.

Organizations should use this takedown as a warning that ransomware is a damaging threat that is far from over. As the number one route to a ransomware attack is by gaining initial network access, network infrastructure access must be the number one priority.

When it comes to defense tools, access segmentation and encryption provide the greatest protection. These solutions stop data breaches from propagating through networks and morphing into ransomware attacks, while they also help prevent phishing attacks on employees, since they don’t know the passwords they use.”

Alfredo Hickman, Head of Information Security, Obsidian Security:

“Today’s news sends a very loud message to all cybercrime groups that if you are on this administration’s radar, they are going to be proactive – and if you get within reach of the American legal and justice system, they will hold you accountable. Some experts believe this approach still lacks teeth due to the risk/reward calculous that heavily favors cybercrime organizations operating outside the reach of the US justice system. 

However, this more aggressive and proactive approach to disrupting cybercrime operations should cause pause and recalculation within some organizations. As these announcements continue to roll out and as related cybercrime operations continue to be disrupted and pressure is applied to host nations, I believe there will be fewer attacks on at least the most sensitive establishments, such as hospitals or critical infrastructures due to the near-universal condemnation and political blowback.”

The post Industry Reactions to Hive Ransomware Takedown: Feedback Friday appeared first on SecurityWeek.

US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware


Following the shutdown of the Hive ransomware operation by law enforcement, the US government has reminded the public that a reward of up to $10 million is offered for information on cybercriminals.

Authorities in the United States and Europe announced on Thursday the results of a major law enforcement operation targeting the Hive ransomware. More than a dozen agencies collaborated to take down the Tor-based leak website used by the group and other parts of its infrastructure, including servers located in Los Angeles.

The FBI revealed that Hive’s ‘control panel’ was hacked by agents in July 2022, allowing them to identify targets and obtain decryption keys that allowed victims to recover encrypted files. The FBI and Europol said they prevented the payment of more than $130 million to the cybercriminals. 

The Hive ransomware operation was launched in June 2021 and it has since made more than 1,500 victims across roughly 80 countries. It’s believed that administrators and affiliates made approximately $100 million from ransom payments. 

Authorities continue to investigate Hive in an effort to identify the threat actors involved in the operation, including developers, administrators and affiliates. 

After the operation against Hive was announced on Thursday, the US State Department reiterated that it’s prepared to pay up to $10 million for information on the identity or location of foreign state-sponsored threat actors that have targeted critical infrastructure. This includes individuals linked to Hive. 

At least some of the people involved in the Hive ransomware operation are believed to be Russian speakers. However, during a press conference announcing the law enforcement operation against Hive on Thursday, US officials refused to comment on potential ties to Russia, citing the ongoing investigation. 

The US government previously reiterated its $10 million reward offer for leaders of the Conti ransomware operation, North Korean hackers, Russian intelligence officers, and DarkSide ransomware operators.

Related: US Government Shares Photo of Alleged Conti Ransomware Associate

Related: US Offers $10 Million Reward Against Election Interference

The post US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware appeared first on SecurityWeek.

US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’


The FBI has at least temporarily dismantled the network of a prolific ransomware gang it infiltrated last year, saving victims including hospitals and school districts a potential $130 million in ransom payments, Attorney General Merrick Garland and other U.S. officials announced Thursday.

“Simply put, using lawful means we hacked the hackers,” Deputy Attorney General Lisa Monaco said at a news conference.

Officials said the targeted syndicate, known as Hive, operates one of the world’s top five ransomware networks. The FBI quietly gained access to its control panel in July and was able to obtain software keys to decrypt the network of some 1,300 victims globally, said FBI Director Christopher Wray. Officials credited German police and other international partners.

It was not immediately clear how the takedown will affect Hive’s long-term operations, however. Officials did not announce any arrests but said they were building a map of Hive’s administrators, who manage the software, and affiliates, who infect targets and negotiate with victims, to pursue prosecutions.
“I think anyone involved with Hive should be concerned because this investigation is ongoing,” Wray said.

On Wednesday night, FBI agents seized computer infrastructure in Los Angeles that was used to support the network. Hive’s dark web site was also seized.

“Cybercrime is a constantly evolving threat, but as I have said before, the Justice Department will spare no resource to bring to justice anyone anywhere that targets the United States with a ransomware attack,” Wray said.

Garland said that thanks to the infiltration, led by the FBI’s Tampa office, agents were able in one instance to disrupt a Hive attack against a Texas school district, stopping it from making a $5 million payment.

The operation is a big win for the Justice Department. The ransomware scourge is the world’s biggest cybercrime headache with everything from Britain’s postal service and Ireland’s national health service to Costa Rica’s government crippled by Russian-speaking syndicates that enjoy Kremlin protection. The criminals lock up, or encrypt, victims’ computer networks, steal sensitive data and demand large sums.

As an example of Hive’s threat, Garland said it had prevented a hospital in the Midwest in 2021 from accepting new patients at the height of the COVID-19 epidemic.

A U.S. government advisory last year said Hive ransomware actors victimized over 1,300 companies worldwide from June 2021 through November 2022, receiving approximately $100 million in ransom payments. It said criminals using Hive ransomware targeted a wide range of businesses and critical infrastructure, including government, manufacturing and especially health care and public health facilities.

The threat captured the attention of the highest levels of the Biden administration two years ago after a series of high-profile attacks that threatened critical infrastructure and global industry. In May 2021, for instance, hackers targeted the nation’s largest fuel pipeline, causing the operators to briefly shut it down and make a multimillion-dollar ransom payment that the U.S. government largely recovered.

Federal officials have used a variety of tools to try to combat the problem, but conventional law enforcement measures such as arrests and prosecutions have done little to frustrate the criminals.

The FBI has obtained access to decryption keys before. It did so in the case of a major 2021 ransomware attack on Kaseya, a company whose software runs hundreds of websites. It took some heat, however, for waiting several weeks to help victims unlock afflicted networks.

The post US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’ appeared first on SecurityWeek.

Hive Ransomware Operation Apparently Shut Down by Law Enforcement


The Hive ransomware operation appears to have been shut down as part of a major law enforcement operation involving agencies in 10 countries. 

A message displayed in English and Russian on the Hive ransomware operation’s Tor-based website reads: The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Hive Ransomware.

Another message says the action was taken in coordination with Europol and authorities in Florida, which indicates that more details will likely be made available in the upcoming period by the Justice Department and Europol.

Until law enforcement agencies confirm the shutdown of Hive, there is a slight chance that the website seizure notice was posted by the cybercriminals themselves. Hacker groups falsely claiming to have been shut down by police is not unheard of. 

However, Allan Liska, a ransomware expert working for threat intelligence company Recorded Future, reported that the Hive infrastructure was seized. Liska also posted an image showing that many well-known ransomware groups have fallen.

The US government reported in November 2022 that the Hive ransomware gang had hit more than 1,300 businesses and made an estimated $100 million in ransom payments.

Data collected by the DarkFeed deep web intelligence project shows that Hive was still active last week. 

The Hive ransomware operation was launched in 2021. Offered under a ransomware-as-a-service (RaaS) model, the ransomware was often used against organizations in the healthcare sector, as well as other critical infrastructure. 

The hackers used malware to encrypt the target’s files, but not before stealing data that could be used to pressure the victim into paying up. 

A free decryptor for files encrypted with the Hive ransomware was released by a South Korean cybersecurity agency in the summer of 2022. 

Related: Russia Lays the Smackdown on REvil Ransomware Gang

Related: Six Arrested for Roles in Clop Ransomware Operation

Related: DarkSide Ransomware Shutdown: An Exit Scam or Running for Hills?

The post Hive Ransomware Operation Apparently Shut Down by Law Enforcement appeared first on SecurityWeek.

Riot Games Says Source Code Stolen in Ransomware Attack


Video games developer Riot Games on Tuesday confirmed that source code was stolen from its development systems during a ransomware attack last week.

The incident was initially disclosed on January 20, when the company announced that systems in its development environment had been compromised and that the attack impacted its ability to release content.

“Earlier this week, systems in our development environment were compromised via a social engineering attack. We don’t have all the answers right now, but we wanted to communicate early and let you know there is no indication that player data or personal information was obtained,” the company announced last week.

On January 24, Riot Games revealed that ransomware was used in the attack and that source code for several games was stolen.

“Over the weekend, our analysis confirmed source code for League, TFT, and a legacy anticheat platform were exfiltrated by the attackers,” the games developer said.

The company reiterated that, while the development environment was disrupted, no player data or personal information was compromised in the attack.

The stolen source code, which also includes some experimental features, will likely lead to new cheats emerging, the company said.

“Our security teams and globally recognized external consultants continue to evaluate the attack and audit our systems. We’ve also notified law enforcement and are in active cooperation with them as they investigate the attack and the group behind it,” Riot Games added.

The game developer also revealed that it received a ransom demand, but noted that it has no intention to pay the attackers. The company has promised to publish a detailed report of the incident.

According to Motherboard, the attackers wrote in the ransom note that they were able to steal the anti-cheat source code and game code for League of Legends and for the usermode anti-cheat Packman. The attackers are demanding $10 million in return for not sharing the code publicly.

Related: Ransomware Revenue Plunged in 2022 as More Victims Refuse to Pay Up: Report

Related: Ransomware Attack on DNV Ship Management Software Impacts 1,000 Vessels

Related: The Guardian Confirms Personal Information Compromised in Ransomware Attack

The post Riot Games Says Source Code Stolen in Ransomware Attack appeared first on SecurityWeek.