The FBI and international partners have at least temporarily disrupted the network of a ransomware gang they infiltrated last year, saving victims including hospitals and school districts a potential $130 million in ransom payments.
Officials said the targeted syndicate, known as Hive, is among the world’s top five ransomware networks and has heavily targeted health care. The FBI quietly accessed its control panel in July and was able to obtain software keys it used with German and other partners to decrypt networks of some 1,300 victims globally, said FBI Director Christopher Wray.
How the effort will affect Hive’s long-term operations is unclear. Officials announced no arrests but said, to pursue prosecutions, they were building a map of the administrators who manage the software and the affiliates who infect targets and negotiate with victims.
Ransomware is the world’s biggest cybercrime headache with everything from Britain’s postal service and Ireland’s national health network to Costa Rica’s government.
The criminals lock up, or encrypt, victims’ networks, steal sensitive data and demand large sums. Their extortion has evolved to where data is pilfered before ransomware is activated, then effectively held hostage. Organizations must pay up in cryptocurrency or it is released publicly.
The online takedown notice, alternating in English and Russian, mentions Europol and German law enforcement partners. The German news agency dpa quoted prosecutors in Stuttgart as saying cyber specialists in the southwestern town of Esslingen were decisive in penetrating Hive’s criminal IT infrastructure after a local company was victimized.
In a statement, Europol said companies in more than 80 countries, including oil multinationals, have been compromised by Hive and that law enforcement from 13 countries was in on the infiltration.
A U.S. government advisory last year said Hive ransomware actors victimized over 1,300 companies worldwide from June 2021 through November 2022, netting about $100 million in payments. Criminals using Hive’s ransomware-as-a-service tools targeted a wide range of businesses and critical infrastructure, including government, manufacturing and especially health care.
Though the FBI offered decryption keys to some 1,300 victims globally, only about 20% reported potential issues to law enforcement.
Victims sometimes quietly pay ransoms without notifying authorities — even if they’ve quickly restored networks — because the data stolen from them could be extremely damaging to them if leaked online. Identity theft is among the risks.