The FBI managed to infiltrate a network of cybercriminals specializing in ransomware for months. By secretly recovering decryption keys to share with victims, the agency was able to thwart over $130 million in ransom demands.
The FBI has just announced the seizure of the servers of an international group specializing in ransomwareransomware. Hive, which is one of the most active groups, has targeted hospitals, schools, businesses and critical infrastructure in more than 80 countries. Its members use malwaremalware to encrypt their victims’ systems, rendering them unusable, and demand payment of a ransom in exchange for the decryption key.
In a statement, the United States Department of Justice indicates that the FBI has secretly infiltrated Hive’s systems since July 2022. The authorities were thus able to secretly recover the decryption keys to help more than 300 victims targeted since this date. , and provide them to more than 1,000 victims who had previously suffered attacks. In total, they estimate that they have foiled more than $130 million in ransom demands.
Ransomware as a Service
This Thursday, January 26, the agency announced that it had succeeded in dismantling the group’s systems, thanks to collaboration with the German, Dutch and Europol authorities. ” In the context of 21st century cyber surveillancee century, our team of investigators got the better of Hive, seizing its decryption keys, passing them on to victims, and ultimately avoiding the payment of over $130 million in ransoms said Assistant Attorney General Lisa O. Monaco. While it hasn’t announced any arrests, the agency has seized the servers and websites the members used to communicate, which should hold them back for some time.
The group, whose name means ” hive ”, works in the form of a hierarchy, with a model of ransomware as a service (RaaS, or Ransomware as a Service). “Administrators” take care of developing ransomware, while the infection of the victim’s systems is the work of their affiliatesaffiliates “. All means are good, such as the use of the Remote Desktop Protocol (RDP) you two VPNVPN yes thetwo-factor authenticationtwo-factor authentication is not activated, flaws in the FortiToken double authentication system or in the servers MicrosoftMicrosoft Exchange, or the good old method of phishing by e-mail with a pox attachment.
Customer service on the dark web
Affiliates carry out a double attack. First, they download confidential information from the target organization’s systems. Then they encrypt the system, demand a ransom to release the decryption key, and threaten to release the stolen data without payment.
The malware stops the antivirus, clears the system logs and proceeds to encryptionencryption of Hard diskHard disk. It works on Windows, but there are also variants for LinuxLinux, VMware ESXi and FreeBSD. Very often, it then displays a link on the dark web in .onion, accessible with the NavigatorNavigator Tor, which links to a chat with the ” service commercial to discuss the ransom payment. However, some victims were contacted by e-mail or telephone. If the victim sends theargentargent requested, affiliates pay 20% to administrators.
US authorities said Hive has targeted more than 1,500 victims since it emerged in June 2021, and received more than $100 million in ransoms. It remains to be seen how long it will take the group to set up new servers following the seizure and resume service…