The Hive hacker gang that attacked hospitals infiltrated the FBI

WASHINGTON — The FBI and international partners have at least temporarily disrupted the network of a prolific extortion ring they infiltrated last year, saving victims, including hospitals and school districts, a potential $130 million in ransom, Attorney General Merrick Garland and others said Thursday. US officials.

“To put it simply, we hacked the hackers through legal means,” Deputy Attorney General Lisa Monaco said at a press conference.

Officials said a targeted syndicate known as Hive operates one of the world’s top five ransomware networks and is actively attacking hospitals and other healthcare providers. According to FBI Director Christopher Wray, the FBI quietly gained access to its control panel in July and was able to obtain software keys to decrypt the network of approximately 1,300 victims worldwide. Officials trust the German police and other international partners.

Related: Health care providers are the new front in the cybersecurity war

However, it was not immediately clear how the removal would affect Hive’s long-term operations. Officials did not announce arrests, but said they were mapping Hive administrators who run the software and affiliates who infect targets and negotiate with victims to secure prosecution.

“I think everyone involved with Hive should be concerned because this investigation is ongoing,” Ray said.

On Wednesday evening, FBI agents seized computer infrastructure in Los Angeles that was used to support the network. Two dark Hive websites were hijacked: one used to leak data on non-payers, the other to negotiate for extortion of payments.

“Cybercrime is an ever-evolving threat, but as I said before, the Justice Department will spare no resources to prosecute anyone anywhere that targets the United States with ransomware,” Garland said.

Garland said that thanks to the infiltration by the FBI’s Tampa office, the agents were able, in one instance, to prevent Hive’s attack on a Texas school district by preventing him from making a $5 million payment.

The operation is a big victory for the Department of Justice. Ransomware is the biggest headache for cybercriminals in the world, with everything from the UK Postal Service and the Irish National Health Service to the government of Costa Rica suffering from Kremlin-protected Russian-speaking syndicates.

Criminals block or encrypt victims’ computer networks, steal confidential data, and demand large sums of money. Ransomware has evolved to the point where data is stolen before the ransomware is activated and is held hostage. Pay with cryptocurrencies, otherwise criminals will make it public.

As an example of the threat, Ulya Garland said that in 2021 he prevented a Midwestern hospital from accepting new patients in the midst of the COVID-19 epidemic.

Not a Modern Healthcare subscriber? Register Today.

The online takedown notice, which alternates between English and Russian, mentions Europol and the German partners. German news agency dpa quoted the Stuttgart prosecutor’s office as saying cyber experts in the southwestern city of Esslingen played a critical role in infiltrating Hive’s criminal IT infrastructure after a local company was targeted.

Europol said in a statement that companies in more than 80 countries, including multinational oil companies, have been compromised by Hive. It says that Europol helped with cryptocurrencies, malware and other analysis, and that law enforcement agencies from 13 countries participated in these efforts.

Last year, a U.S. government adviser reported that from June 2021 to November 2022, Hive ransomware attackers targeted more than 1,300 companies worldwide, receiving about $100 million in ransom. It states that criminals using Hive ransomware tools as a service target a wide range of businesses and critical infrastructure, including government, manufacturing, and especially healthcare and public health institutions.

Even though the FBI has offered decryption keys to about 1,300 victims worldwide, Ray said only about 20% have reported potential problems to law enforcement.

“Here, fortunately, we were able to identify and help many victims who did not report. But that’s not always the case,” Ray said. “When victims report attacks to us, we can help them and others.”

In some cases, cybersecurity experts say, victims quietly pay a ransom without notifying the authorities – and even if they were able to quickly restore their networks – because the criminals stole files that could cause them serious damage if leaked to the network, for example, information that can be used to steal personal information.

John Hultquist, head of threat intelligence at cybersecurity firm Mandiant, said the Hive crash would not cause a major drop in overall ransomware activity, but would nevertheless be “a blow to a dangerous group.”

“Unfortunately, the criminal market at the heart of the ransomware problem ensures that competitor Hive will be willing to offer a similar service in their absence, but they may think twice before allowing their ransomware to be used to attack hospitals.” Hultquist said.

But Brett Callow, an analyst at cybersecurity firm Emsisoft, said the operation has the potential to reduce the credibility of ransomware scammers in a business with very high returns and low risk.

“The information collected may point to affiliates, money launderers and others involved in the ransomware supply chain,” Callow said.

And analyst Allan Liska of cybersecurity firm Recorded Future said the operation shows that “a multifaceted law enforcement strategy of arrests, sanctions, seizures and more is working to slow down ransomware attacks.” He predicted that this would lead to charges, if not actual arrests, in the next few months.

The ransomware threat caught the attention of the top echelons of the Biden administration two years ago after a series of high-profile attacks that threatened critical infrastructure and global industry. For example, in May 2021, hackers targeted the nation’s largest fuel pipeline, causing operators to shut it down briefly and pay a multi-million dollar ransom that the US government has largely returned.

Federal officials have used a variety of tools to try and fight the problem, but conventional law enforcement measures such as arrests and prosecutions have done little to upset the perpetrators.

The FBI has already had access to the decryption keys. This was the case in the case of a major ransomware attack in 2021 on Kaseya, a company whose software manages hundreds of websites. However, it took some time to wait a few weeks to help the victims unblock the affected networks.

Download the Modern Healthcare app to keep up to date with industry news.