At a glance.
- Hive ransomware gang taken down.
- Killnet continues reprisals against German targets.
- CISA releases eight ICS advisories.
- CISA also adds an entry to its Known Exploited Vulnerabilities Catalog.
Hive ransomware gang taken down.
The US Department of Justice says that a joint US and European operation has taken down the notorious Hive ransomware gang. Thursday morning Hive’s site was replaced with a notice: "The Federal Bureau of Investigation seized this site as part of coordinated law enforcement action taken against Hive Ransomware." The European participants were, in addition to Europol, police in the Netherlands and Germany. (The German participants included both federal agencies and police in Baden-Württemberg.) The action was called "Operation Dawnbreaker." The U.S. Department of Justice characterizes Hive as a ransomware-as-a-service operation that made heavy use of double-extortion in its crimes: Hive was also notorious in its target selection, hitting, among other victims, hospitals and schools. Its attacks against hospitals in some cases disrupted delivery of care.
The FBI has been quietly at work against the gang since last summer, infiltrating Hive, taking decryption keys, and enabling Hive’s victims to avoid paying the ransom the gang demanded. FBI Director Christopher Wray said, at a press conference yesterday, "Last July, FBI Tampa gained clandestine, persistent access to Hive’s control panel. Since then, for the past seven months, we’ve been able to exploit that access to help victims while keeping Hive in the dark, using that access to identify Hive’s victims and to offer over 1,300 victims around the world keys to decrypt their infected networks, preventing at least $130 million in ransom payments, cutting off the gas that was fueling Hive’s fire." Reuters quotes Deputy U.S. Attorney General Lisa Monaco as saying, "Using lawful means, we hacked the hackers. We turned the tables on Hive."
No arrests were announced, the Wall Street Journal notices. Director Wray said at his press conference, however, that Operation Dawnbreaker continues, and is moving on to its next phase. Any arrests would presumably come in that subsequent phase, but most if not all of the perpetrators are in Russia, and so may be effectively out of reach. (Unless, of course, they should flee mobilization and land in a place with an effective extradition treaty, or choose a foreign vacation spot unwisely.) Tom Kellermann, CISM, Senior VP of cyber strategy at Contrast Security, yesterday emailed comments on what it would take to bring ransomware under control. “The real challenge lies in the protection racket that exists between the cybercrime cartels and the Russian regime, which endows them with untouchable status from western law enforcement. We must recognize that the majority of the proceeds from ransomware allow for Russia to offset economic sanctions.” We might also mention the gangs' usefulness to Moscow as privateers and auxiliaries. For more on the Hive takedown, see CyberWire Pro.