Popular ransomware hackers group, Hive's Tor payment, and data leak website were seized by the international law enforcement operation after the FBI infiltrated the gang's infrastructure last July.
Today, the US Department of Justice and Europol announced in support of the German, Dutch, and US authorities succeeded in taking down the infrastructure of the prolific HIVE ransomware. This international operation involved authorities from 13 countries in total. They were secretly monitoring the Hive hackers' operation for five months and secretly infiltrated the Hive ransomware gang's infrastructure in July 2022.
The operation lead Law enforcement to provide the decryption key to companies that had been compromised in order to help them decrypt their data without paying the ransom. This effort has prevented the payment of more than USD 130 million or the equivalent of about EUR 120 million of ransom payments.
"Europol deployed four experts to help coordinate the activities on the ground. Europol supported the law enforcement authorities involved by coordinating the cryptocurrency and malware analysis, cross-checking operational information against Europol’s databases, and further operational analysis and forensic support. Analysis of this data and other related cases is expected to trigger further investigative activities." they wrote in the blog post
"The Joint Cybercrime Action Taskforce (J-CAT) at Europol also supported the operation. This standing operational team consists of cybercrime liaison officers from different countries who work on high-profile cybercrime investigations." further added.
In the meantime, the ransomware group TOR website is displaying a seizure notice with the following message, "This hidden site has been seized. The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Hive Ransomware".
The countries involved in this international operation are-
- Canada – Royal Canadian Mounted Police (RCMP) & Peel Regional Police
- France: National Police (Police Nationale)
- Germany: Federal Criminal Police Office (Bundeskriminalamt) and Police Headquarters Reutlingen – CID Esslingen (Polizei BW)
- Ireland: National Police (An Garda Síochána)
- Lithuania: Criminal Police Bureau (Kriminalinės Policijos Biuras)
- Netherlands – National Police (Politie)
- Norway: National Police (Politiet)
- Portugal: Judicial Police (Polícia Judiciária)
- Romania: Romanian Police (Poliția Română – DCCO)
- Spain: Spanish Police (Policía Nacional)
- Sweden: Swedish Police (Polisen)
- United Kingdom – National Crime Agency
- USA – United States Secret Service, Federal Bureau of Investigations
Who is Hive Ransomware?
First observed in June 2021, Hive is an affiliate-based ransomware variant used by cybercriminals to conduct ransomware attacks against healthcare facilities, nonprofits, retailers, energy providers, and other sectors worldwide. Hive is built for distribution in a Ransomware-as-a-service model that enables affiliates to utilize it as desired.
Hive affiliates have gained initial access to victim networks through a number of methods, including single factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols; exploiting FortiToken vulnerabilities; and sending phishing emails with malicious attachments.
Some HIVE actors bypassed multifactor authentication and gained access by exploiting vulnerabilities. This enabled malicious cybercriminals to log in without a prompt for the user’s second authentication factor by changing the case of the username.
Hive Ransomware Background (History)
HIVE ransomware has been identified as a major threat as it has been used to compromise and encrypt the data and computer systems of large IT and oil multinationals in the EU and the USA.
Since June 2021, over 1 500 companies from over 80 countries worldwide have fallen victim to HIVE associates and lost almost EUR 100 million in ransom payments. Affiliates executed the cyberattacks, but the HIVE ransomware was created, maintained, and updated by developers.
Affiliates used the double extortion model of ‘ransomware-as-a-service’; first, they copied data and then encrypted the files. Then, they asked for a ransom to both decrypt the files and not publish the stolen data on the Hive Leak Site. When the victims paid, the ransom was then split between affiliates (who received 80 %) and developers (who received 20 %).