DOJ Takes Down Hive Ransomware Group
The Justice Department completed a months-long disruption campaign against Hive ransomware group, a threat group known to aggressively target healthcare and other critical infrastructure sectors.
Source: Getty Images
By Jill McKeon
- The US Department of Justice (DOJ) has successfully disrupted Hive ransomware group operations following a months-long effort. According to the DOJ press release, Hive has targeted more than 1,500 victims worldwide since June 2021, including many in the healthcare sector. These attacks prompted multiple industry alerts and warnings from HHS, the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA).
Since July 2022, the FBI has been able to penetrate Hive’s network, capture decryption keys, and offer those keys to victims, saving them $130 million in ransom demands, the DOJ stated. The FBI was also able to distribute more than 1,000 decryption keys to past Hive victims.
In coordination with law enforcement from Germany and the Netherlands, the DOJ also seized control of Hive’s servers and websites that it used to communicate with members.
“Last night, the Justice Department dismantled an international ransomware network responsible for extorting and attempting to extort hundreds of millions of dollars from victims in the United States and around the world,” Attorney General Merrick B. Garland said in the press release.
“Cybercrime is a constantly evolving threat. But as I have said before, the Justice Department will spare no resource to identify and bring to justice, anyone, anywhere, who targets the United States with a ransomware attack. We will continue to work both to prevent these attacks and to provide support to victims who have been targeted. And together with our international partners, we will continue to disrupt the criminal networks that deploy these attacks.”
Hive is known to operate a ransomware-as-a-service (RaaS) model in which recruited affiliates can leverage the group’s ransomware strain to deploy against victims. Hive typically used a double-extortion model and published the data of victims who refused to pay on its leak site.
Hive claimed responsibility for a variety of attacks against US healthcare organizations, including an August 2021 attack on Memorial Health System that impacted more than 215,000 individuals and resulted in ambulance diversions and appointment cancellations.
“The coordinated disruption of Hive’s computer networks, following months of decrypting victims around the world, shows what we can accomplish by combining a relentless search for useful technical information to share with victims with investigation aimed at developing operations that hit our adversaries hard,” said FBI Director Christopher Wray.
“The FBI will continue to leverage our intelligence and law enforcement tools, global presence, and partnerships to counter cybercriminals who target American business and organizations."
Industry Perspective
"In 2022, Hive was the most prolific family that we directly observed in incident response engagements, accounting for over 15 percent of the ransomware intrusions that we responded to,” Kimberly Goody, senior manager at Mandiant Intelligence, Google Cloud said in a statement sent to HealthITSecurity.
“Their victims have spanned a wide range of countries, but the most significant impact has been in the United States, with 50 [percent] of all its public victims being based here. The actors behind the operation continued to develop it including rewriting the ransomware in Rust in mid-2022. This step was likely taken to hinder analysis and evade detections.”
The vast network of cyber threat actors remains strong, but Hive was a group that aggressively targeted healthcare and faced the consequences for it. The FBI’s efforts may serve as a warning for future threat groups that use similar tactics and go after the critical services that people rely on every day, such as hospitals and schools.
"The disruption of the Hive service won’t cause a serious drop in overall ransomware activity but it is a blow to a dangerous group that has endangered lives by attacking the healthcare system,” added John Hultquist, head of Mandiant Threat Intelligence, Google Cloud.
“Unfortunately, the criminal marketplace at the heart of the ransomware problem ensures a Hive competitor will be standing by to offer a similar service in their absence, but they may think twice before allowing their ransomware to be used to target hospitals.”
