An international operation that involved the FBI hacking the hackers has taken down the Hive ransomware-as-a-service operation.
Taking down the Hive ransomware gang.
The US Department of Justice says that a joint US and European operation has taken down the notorious Hive ransomware gang. Thursday morning Hive’s site was replaced with a notice: "The Federal Bureau of Investigation seized this site as part of coordinated law enforcement action taken against Hive Ransomware." The European participants were, in addition to Europol, police in the Netherlands and Germany. (The German participants included both federal agencies and police in Baden-Württemberg.) The action was called "Operation Dawnbreaker."
The Department of Justice characterizes Hive as a ransomware-as-a-service operation that made heavy use of double-extortion in its crimes:
"Hive used a ransomware-as-a-service (RaaS) model featuring administrators, sometimes called developers, and affiliates. RaaS is a subscription-based model where the developers or administrators develop a ransomware strain and create an easy-to-use interface with which to operate it and then recruit affiliates to deploy the ransomware against victims. Affiliates identified targets and deployed this readymade malicious software to attack victims and then earned a percentage of each successful ransom payment.
"Hive actors employed a double-extortion model of attack. Before encrypting the victim system, the affiliate would exfiltrate or steal sensitive data. The affiliate then sought a ransom for both the decryption key necessary to decrypt the victim’s system and a promise to not publish the stolen data. Hive actors frequently targeted the most sensitive data in a victim’s system to increase the pressure to pay. After a victim pays, affiliates and administrators split the ransom 80/20. Hive published the data of victims who do not pay on the Hive Leak Site."
Hive was also notorious in its target selection, hitting, among other victims, hospitals and schools. Its attacks against hospitals in some cases disrupted delivery of care.
The FBI has been quietly at work against the gang since last summer, infiltrating Hive, taking decryption keys, and restoring lost funds to Hive’s victims. FBI Director Christopher Wray said, at a press conference yesterday, "Last July, FBI Tampa gained clandestine, persistent access to Hive’s control panel. Since then, for the past seven months, we’ve been able to exploit that access to help victims while keeping Hive in the dark, using that access to identify Hive’s victims and to offer over 1,300 victims around the world keys to decrypt their infected networks, preventing at least $130 million in ransom payments, cutting off the gas that was fueling Hive’s fire." Reuters quotes Deputy U.S. Attorney General Lisa Monaco as saying, "Using lawful means, we hacked the hackers. We turned the tables on Hive."
No arrests were announced, the Wall Street Journal notices. Director Wray said at his press conference, however, that Operation Dawnbreaker continues, and is moving on to its next phase.
The absence of arrests may be a function of the criminals' geographical location. Hive was a Russophone group, based mainly in Russia. The Washington Post points out that, while Hive wasn't an arm of the Russian organs, it was at the very least tolerated and enabled by those official organs. It effectively operated as a privateer, taking prizes belonging to countries that were not friendly to Russia.
Extensive international cooperation in Operation Dawnbreaker.
Europol says that a total of thirteen nations participated in Operation Dawnbreaker. The participating nations and agencies were:
- Canada – Royal Canadian Mounted Police (RCMP) & Peel Regional Police
- France: National Police (Police Nationale)
- Germany: Federal Criminal Police Office (Bundeskriminalamt) and Police Headquarters Reutlingen – CID Esslingen (Polizei BW)
- Ireland: National Police (An Garda Síochána)
- Lithuania: Criminal Police Bureau (Kriminalinės Policijos Biuras)
- Netherlands – National Police (Politie)
- Norway: National Police (Politiet)
- Portugal: Judicial Police (Polícia Judiciária)
- Romania: Romanian Police (Poliția Română – DCCO)
- Spain: Spanish Police (Policía Nacional)
- Sweden: Swedish Police (Polisen)
- United Kingdom – National Crime Agency
- USA – United States Secret Service, Federal Bureau of Investigation
Centralized criminal operations are distinctly vulnerable to disruption.
Hive had operated on an affiliate model. While there's a superficial decentralization in such operations, in fact they're highly dependent on the central organization--strike at the head, and the affiliates are unlikely to be able to recover rapidly.
Crane Hassold, former FBI cyber psychological operations analyst and Head of Research at Abnormal Security, commented on the significance of the takedown.
“Unlike some other cyber threats, like business email compromise (BEC), the ransomware landscape is very centralized, meaning a relatively small number of groups are responsible for a majority of all the attacks. The silver lining to this top-heavy ecosystem is that disruptive actions against one of these primary groups, such as law enforcement takedowns, can have a significant impact on the overall landscape. Since Hive has been one of the biggest players in the ransomware space over the past year, I would expect this takedown to have a noticeable impact on ransomware volume, at least in the short-term.
"Because of the increased pressure from global law enforcement and the likely regulatory controls of cryptocurrency, one of the biggest drivers of today’s ransomware landscape, it’s very possible that we’ll start to see ransomware actors pivot to other types of cyber attacks, like BEC. BEC is the most financially-impactful cyber threat today and, instead of using their initial access malware to gain a foothold on a company’s network, they could simply reconfigure the malware to establish access to employee mailboxes, which could lead to more scaled and sophisticated vendor email compromise attacks.”
(Added, 12:00 noon, January 27th, 2023. Satnam Narang, Senior Staff Research Engineer, at Tenable, wrote to draw attention to the fact that ransomware gangs, too, face reputational risk:
"The actions undertaken by U.S. agencies to disrupt the Hive ransomware group operation from within is an unprecedented step in the fight against ransomware, which has steadily remained the biggest threat facing most organizations today. While this may signal the end of the Hive ransomware group, its members and affiliates remain a threat. If there’s anything we’ve learned after past disruptive actions against ransomware groups, it's that other groups will rise to fill the void left behind.
"Affiliates, which are typically responsible for conducting most of these attacks, can easily pivot to other affiliate programs of groups that remain operational and ransomware group members can also take their knowledge to these groups.
"One of the key ways ransomware groups gain attention and notoriety is by publishing their successful attacks on data leak sites on the dark web. It wouldn’t surprise me if ransomware groups see the threat posed by maintaining these sites and stop publicly listing these attacks in an attempt to stay under the radar.")
The difficulty of taking down ransomware gangs.
On the other hand, criminal operations have, in time, shown themselves able to reconstitute and return to action. Hive itself is generally regarded as a successor to Conti, with many of the defunct gang's talent moving to the younger organization.
The downfall of Hive is welcome, but such gangs have in the past seen former members resume criminal activities in other organizations, either a rebranding of the original gang or some successor organization. Nonetheless, these takedowns do hurt the criminal organizations. Industry experts applauded Operation Dawnbreaker and hope for good results.
Roger Grimes, data-driven defense evangelist at KnowBe4, sees gangland as an octopus. "Cut off a tentacle and another tentacle grows. We've had several disruptions in the past and they are always temporary and either the same ransomware group revives or another new group takes over its place. But I will say that what CISA, DOJ, and the FBI are doing to disrupt ransomware is having a real impact. The ransomware gangs are finding it increasingly hard to make a living extorting companies. Extortion payments are down big time. More victims aren't paying. And it's becoming increasingly harder for the bad guys to make the same level of revenue they made in the past. Ransomware is still rampant, but what the feds are doing is putting a damp in their step...it is having real, long-term impact. This latest announcement is just another drop in the bucket sending the message to ransomware groups that they are facing a legal adversary that fights back!"
Erich Kron, security awareness advocate at KnowBe4, also hails the takedown as good news. “The take down of the Hive ransomware group is great news for victims and sends a message to the ransomware groups that they cannot operate forever with impunity. This group in particular seemed to focus on very critical areas of infrastructure and health care. This targeting of industries with potentially serious ramifications due to outages is likely what drew this focused attention of law enforcement, eventually leading to their demise. Because this is a RaaS (Ransomware-as-a-Service) structured group, many of the affiliates who actually carried out the attacks and were responsible for gaining initial network access of their victims, are not likely to be swept up in this law enforcement action. However by taking down the infrastructure and hopefully some of the developers, it will have a fairly significant impact on this industry and will allow current victims to recover quickly. Unfortunately, there will be plenty of groups that are still operating that will be happy to welcome the affiliates associated with this group into their own teams, meaning this is not the end of ransomware by any means.
Austin Berglas, Global Head of Professional Services, BlueVoyant, hopes the takedown will have a deterrent effect.
"The seizure of the website used by Hive will hopefully serve as a deterrent to other individuals and groups looking to engage in criminal activity. Although this will not dismantle the Hive organization, it will certainly disrupt operations for a period of time - forcing the group to establish new infrastructure if they intend on continuing criminal activity under the same Hive moniker.
"True dismantlement comes only when law enforcement can 'put hands on' or arrest the individuals responsible. However, identifying the actual human beings behind the keyboard is a very difficult task. Many of these cyber criminals are adept at anonymizing their online communications, locations, and infrastructure - often operating in global locations where international law enforcement cooperation is non-existent and utilizing bullet-proof hosting providers, which are unresponsive to legal process.
"There may be a temporary decline in ransomware activity in the wake of the website seizure as groups scramble to harden defenses and tighten their inner circles, but this will not make an overall, noticeable impact on global ransomware attacks. History has shown that ransomware gangs that disband either due to law enforcement actions, internal strife, or geo-political reasons will sometimes regroup under a different name. Conti, one of the most active ransomware gangs in recent history, shuttered operations soon after one of their members leaked internal Conti communications. Former members of the group are suspected of spinning off into newer groups such as BlackBasta and BlackByte."
Steven Stone, Head of Rubrik Zero Labs (the company's cybersecurity research unit) likes what he sees as an instance of a whole-of-government approach to cybercrime.
“Rubrik is a proponent of whole-of-government approaches to an existential threat like ransomware. Today’s takedown of the HIVE site is a great win for everyone working against ransomware.”
“In the long term, efforts like this and others like targeting dirty crypto transfers or indictments will work to change the threat landscape. In the short to mid-term, today’s takedown will likely not produce a profound impact.”
“Ransomware groups, in particular Ransomware-as-a-Service groups like HIVE, have demonstrated a strong ability to reconstitute as a new group. Additionally, there are anywhere from 45-55 ransomware groups active in the last year with all but HIVE being unaffected today.”
“FBI Director Chris Wray noted only ~20% of HIVE victims reported their event to federal authorities in the time when DoJ maintained access to HIVE operations. This should be an important reflection point that as tough as we think the ransomware landscape is, it is likely multiple times larger than publicly discussed. Rubrik recommends organizations continue to improve their security posture and work to reduce risk for their operations.”
"While this doesn't stop the threat of ransomware, it is absolutely a step in the right direction and as more of these groups, especially high visibility ones like Hive, are dismantled by law enforcement, assets seized, and hopefully arrests made, we can certainly hope that this will make participating in cybercrime groups like this less appealing to potential cyber criminals.”
Developing organizational resistance to ransomware attacks.
(Added, 12:00 noon, January 27th, 2023. Caroline Seymour, VP, product marketing, at Zerto, a Hewlett Packard Enterprise company, applauded the takedown. “The recent announcement from the DOJ that the FBI is cracking down on the Hive, one of the most prolific hacker gangs in the world, is good news from an enforcement standpoint," she wrote. "It serves to highlight how large the ransomware ecosystem has grown — with the gang receiving more $100 million in extortion payments. These criminals are relentless, and they are emboldened by the amount of money they can extort. However, for vulnerable organizations, this is why the primary focus must be getting their system back up and running after an attack. When a service provider is disabled and access to data is held in exchange for ransom, the best way to fight back and get up and running again is to have a recovery solution in place that protects systems from disruption and provides a path to instant recovery." She also noted some steps organizations can take to make themselves more resistent to the effects of ransomware. "The challenge many organizations face is that they rely on day-old or even week-old backups to restore their data. This results in inevitable gaps and data loss that can be highly disruptive and add significantly to the overall recovery cost," she observed, adding, The key is having a solution that’s always on with enough granularity to recover to a point in time precisely before the attack occurred without time gaps. The best solution will be one that uses continuous data protection (CDP) and keeps valuable data protected in real-time.")
(Added, 3:15 PM, January 27th, 2023. Exabeam's CISO, Tyler Farrar, offered some perspective on the FBI's ability to access threat group's infrastructure, and closed with some advice for organizations as they think about ways of becoming more resilient in the face of the ransomware threat:
“The government prioritizes the takedown of certain groups over others based on a variety of factors, including the access they have to the threat actor’s computer network(s) and the level of threat they pose to national security and public safety. The Hive ransomware group has been considered particularly dangerous due to their attempts to extort hundreds of millions of dollars from its victims.
"The takeaways are also important. By obtaining the decryption keys of a RaaS group, the government could potentially gain insight into their operations and infrastructure, including information on their funding sources, recruitment methods, and the individuals behind the group. This information could be used to disrupt and dismantle the group's operations, as well as to identify and prosecute individuals involved in the group. To pass this information to companies without alerting other groups of all the details, the government could use various methods such as redacting sensitive information, sharing information on a need-to-know basis, or providing the information in a general format that does not reveal specific details about the group. Additionally, the government could work with companies to develop and implement security measures that would protect them from similar RaaS attacks in the future.
"There is a possibility that the individuals behind the Hive operations could reappear under a different name and using different methods. Criminal organizations and cybercriminals often adapt and evolve to evade detection and continue their illegal activities. However, the FBI is seeking to identify key members of the group, disrupt their funding sources, and seize assets that would make it difficult for them to continue their operations. It's important to note that the fight against cybercrime is an ongoing process, and it is not always possible to completely eliminate a group or organization. Even if the individuals behind the Hive are arrested or their operations are disrupted, it is possible that others will take their place and continue similar activities. Therefore, it's important for law enforcement agencies and organizations to stay vigilant and continue to work together to combat cybercrime.
"My advice to SOC teams is that a multi-layered approach to security must be taken; it must include both preventative and detective measures, as well as incident response protocols. Suggestions include:
- "Regularly patch and update software and systems to reduce vulnerabilities
- Implement robust access controls to limit the potential impact of a successful attack
- "Implement endpoint protection to detect and prevent malicious activity
- "Regularly backup important data and keep offline copies
- "Be aware of the threat landscape and stay informed of new tactics, techniques, and procedures used by RaaS groups
- "Implement security awareness training for employees to help them understand the risks and how to detect and report suspicious activity
- "Implement a user and device behavioral analytics capability for threat detection, investigation, and response
- "Have an incident response plan in place and test it regularly
- "Have a communication plan in place for incident response to be able to notify and coordinate with the relevant stakeholders"
- Work with law enforcement and other organizations to share intelligence and coordinate responses to threats”)
The importance of international cooperation against gangs with transnational operations.
Michael Mestrovich, Rubrik’s CISO and former CISO of the CIA, thinks Hive may have taken a financial bath, but that the gang bears watching. “While the ransomware economy remains lucrative, there are signs that the US and international law enforcement stings are making a dent in the hackers’ earnings. Ransomware revenue fell to about $457 million in 2022, down from $766 million in 2021, according to data from cryptocurrency-tracking firm Chainalysis. I am not sure if that is a sign of hope or just a blip on the radar but it is something to keep in mind.”
Terry Olaes, Senior Technical Director at Skybox Security, is unsurprised: Hive has drawn a lot of attention to itself.
"The seizing of Hive ransomware gang’s sites and decryption keys comes as no surprise, as the prolific group had received over $100 million in ransom payments from more than 1,300 victims since they were initially discovered in June 2021. In November 2022, the FBI, the CISA and HHS issued a joint #StopRansomware advisory when the group gained access to victim networks by distributing phishing emails with malicious attachments through the exploitation of Microsoft Exchange Server vulnerabilities. Through the U.S. and European law enforcement agencies' operation, they were able to warn targets of impending attacks, learn about them beforehand, and obtain and disseminate decryption keys to victims, saving the victims $130 million in ransom payments.
"Skybox Research Lab found that ransomware programs increased by 42% in 2021. While assessing the gravity of vulnerabilities, it is essential to prioritize network accessibility, exposure, exploitability and commercial effect. Additionally, the Hive ransomware gang’s abilities serve as an important reminder of the serious financial losses that could result from ransomware gangs targeting businesses. Protecting enterprises requires that the attack surface is defined, risk measurement can include multiple factors like tools that can measure the financial effect of cyber risks on businesses and a quantification approach that will enable organizations to recognize and rank hazards according to their financial consequences. Establishing exposure-based risk scores to help prioritize the urgency of vulnerability remediation can greatly improve the maturity of vulnerability management programs and will assure rapid recovery.
Tom Kellermann, CISM, Senior VP of cyber strategy at Contrast Security, commented: “Today’s disruption of the Russian HIVE ransomware infrastructure underscores the historic international cooperation between law enforcement agencies. The International Ransomware taskforce is having an impact. The real challenge lies in the protection racket that exists between the cybercrime cartels and the Russian regime, which endows them with untouchable status from western law enforcement. We must recognize that the majority of the proceeds from ransomware allow for Russia to offset economic sanctions.”
(Added, 12:00 noon, January 27th, 2023. Aaron Sandeen, CEO, Cyber Security Works, hopes to see more such international cooperation against other gangs. “Hive Ransomware has affected a great number of people through targeting services needed for living everyday life, like electrical and health," he said. "It’s a good day when a ransomware group like Hive has been severely weakened. This is a step in the right direction with joint international law enforcement efforts, like those between the DOJ and Europol. It will lead towards a future security experts hope for and provide much-needed relief in an unbalanced playing field. Although this is positive news, it’s essential to understand these operations remain elusive because of their fractured organizational structure. Conti, BianLian, AvosLocker, BlackCat, LockFile, Karma, BlackByte, and Babuk are all ransomware groups that exploit similar vulnerabilities and are all in operation. We hope for continued international cooperation to take these menaces down, but in the meantime, organizations must remain vigilant and protect their systems.”)
How the cyber underworld may respond to the takedown.
(Added, 5:30 PM, January 27th, 2023. Armorblox Chief Security Officer Brian Johnson expressed approval of the takedown. "This action from the US agencies is definitely a step in the right direction," he wrote in emailed comments. "Specifically looking at attack vectors like ransomware and credential phishing across our 58,000+ tenants, we see a concentration into a few different threat actors at the top - including Hive - so taking them out will have a large impact on the number of attacks that organizations would see. "
He also sees signs that takedowns of this kind are moving criminals away from more complicated attacks to crimes that are easier to pull off. "At the same time, precisely because of regulatory and law enforcement actions, we are seeing threat actors moving away from ransomware and crypto based attacks to easier attack methods to compromise organizations and steal money or credentials. In the past two years, the two most common cyber insurance claims have been business email compromise and vendor fraud, not ransomware. The arrival of chatGPT is showing attackers the art of the possible when it comes to using language models to create more realistic and successful phishing and business compromise attacks, and in response organizations will need to do the same to defend themselves against the next wave of attacks.")
(Added, 2:15 PM, January 31st, 2023. Lou Steinberg,of CTM Insights, wrote to point out the ways in which criminal organizations are resilient in the face of takedowns, especially when it's not possible or at least practicable to arrest their members.
"The FBI recently reported that they had shut down the “Hive” ransomware group. This is the latest takedown in a series of similar law enforcement actions. Unfortunately, it may just be temporary.
"What happened was twofold. First, keys to decrypt the data of Hive targets were obtained and shared without companies having to pay. Some likely paid anyway; the thieves not only encrypted data on their victim’s servers, they copied and threatened to publish sensitive information, and having decryption keys wouldn’t prevent a company’s private information from being published. Second, the servers used by Hive were taken over by international law enforcement agencies.
"Since nobody was arrested, the thieves are free to simply setup shop again. Some people may choose to 'retire' as Hive is estimated to have collected about $100M in ransom payments. Others can and likely will quickly regroup. Modern ransomware teams assemble a combination of dark web services, meaning they can reassemble the parts quite easily. They can rent software to breach and encrypt victims. They can hire services to negotiate and collect payments. They can hire services and infrastructure to publish sensitive data if not paid. Creating a ransomware team is a lot like building something out of Lego® blocks, you snap the pieces together. If the FBI disassembled your blocks, you simply build a new one.
"The good news is that ransomware payments are thought to have gone down substantially between 2021 and 2022. Much of that may be due to the FBI intercepting and “clawing back” some of the larger extortion payments, leading ransomware teams to focus on smaller companies that simply can’t pay as much. Attacking one big target takes about the same work as a small one, so it becomes a question of how much time and effort attackers are willing to invest for a smaller gain. Another driver of reduced payments may be that companies are doing a better job of protecting themselves, especially after a rapid shift to remote work during the pandemic.
"A long-term solution would be to prevent companies from making extortion payments. If the attackers can’t get paid, there would be little incentive to do the work of attacking. While some argue that punishes the victim, I disagree. Most corporate ransomware attacks are preventable through good security practices, and recoverable through good backups and self-encryption of sensitive data. That means most victims made a business decision to not invest sufficiently in their own security and should assume the risk. Additionally, an attack makes you a victim, a decision to pay the attacker and incent them to keep attacking others does not.
"The legal framework exists to prevent payments. It’s widely believed that many ransomware payments go to countries that are officially sanctioned by the US, such as North Korea. It is already illegal to make payments there. Companies should be forced to demonstrate that that their payments weren’t going to sanctioned countries, as required by law. Since the attackers value their anonymity, this would be hard to do and would largely choke off the flow of extortion payments by companies that don’t want to risk prosecution.
"It's good that law enforcement disrupted Hive, and took some servers offline. It’s better that they have been able to help victims get decryption keys for free, and even better that they have had success in clawing back payments. But to really disrupt ransomware as an industry, we need to disrupt their ability to get paid.")