FBI takes down massive ransomware gang by ‘hacking hackers’

What happened now? Ironically, the infamous ransomware-as-a-service (RaaS) gang was taken down after the FBI infiltrated its systems, disrupted operations, and took over its websites. Or, as the Deputy Attorney General of the United States put it, “the hackers got hacked.”

Speaking at a press conference, U.S. Attorney General Merrick Garland, FBI Director Christopher Wray and Deputy U.S. Attorney General Lisa Monaco announced that the government had secretly infiltrated the networks of the Hive ransomware gang in July 2022 before launching a six-month monitoring operation.

During this infiltration, the government managed to steal more than 300 decryption keys from Hive and give them to the victims of the attack, preventing the payment of a ransom worth about $130 million, including $5 million from the Texas School District. The feds also gave away over 1,000 additional decryption keys to previous Hive victims.

The FBI used its access to the Hive infrastructure to alert targets of impending attacks, giving them time to harden their systems and prepare. Hive Tor payment systems and data leak sites were also hijacked.

According to Beeping Computer, the FBI obtained access to two dedicated servers and one virtual private server from a hosting provider in California, which were rented using email addresses belonging to Hive members. In a coordinated effort, the Dutch police also gained access to two dedicated backup servers hosted in the Netherlands. Law enforcement confirmed that these servers served as the main data breach site, meeting point, and web panels for Hive and its affiliates.

According to the affidavit: “In addition to the decryption keys, when the FBI examined the database found on Target Server 2, the FBI found Hive communications records, malware file hash values, information about 250 Hive affiliates, and victim information. it was previously obtained using a key decryption operation.”

The FBI report (above) on the hijacked Hive Tor website notes that many countries were involved in the coordinated destruction, including Germany, Canada, France, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden, and the UK. .

“Using legal means, we broke into the hackers,” Monaco told reporters. “We made a difference with Hive.”

Hive, launched in June 2021, has targeted more than 1,500 victims in 80 different countries throughout its existence. As with other RaaS organizations, it rented out malware to other criminals for a portion of the ransom.

The gang has raised more than $100 million in ransomware payments, and while no arrests have been reported, a department spokesman suggested this would change soon. Unlike other ransomware operators, Hive has never stated its intention to avoid attacks on hospitals or emergency services.

Head credit: Sebastian Stam