At the end of January, the US Department of Justice announced that FBI agents successfully infiltrated the Hive ransomware group and prevented them from carrying out attacks that had to potential to steal $130 million from victims who no longer have to consider paying the ransom.

The group, who is said to have targeted over 1,500 victims in 80 countries, was infiltrated months before the FBI started working with officials in Germany and the Netherlands to shut down Hive’s servers and websites.

“Simply put, using lawful means, we hacked the hackers,” Deputy Attorney General Lisa Monaco announced in a press conference.

The FBI was able to hack Hive’s servers without being noticed. This allowed them to steal over 300 decryption keys and pass them along to victims whose data was being held hostage by the ransomware group. Victims in this specific attack included a Texas school district, a Louisiana hospital and an unnamed food services company. Between these three companies alone, the FBI prevented $18 million from being stolen by the hackers.

“We turned the tables on Hive and busted their business model,” Monaco said. Hive is considered a top-5 ransomware threat by the FBI. The group has received over $100 million in ransom payments since June 2021.

Hive uses the same techniques and LockBit, a ransomware gang we have previously reported about. By using a “Ransomware-as-a-Service” model, the cybercriminals are able to provide their ransomware kits to “affiliates” who turn around and conduct the attacks. Hive takes 20 percent of the payout received in each attack, while the affiliates pocket the rest. The affiliates carry out the attacks through techniques like phishing attacks, exploiting authentication vulnerabilities, and gaining access to VPNs.

In November, CISA released an alert explaining how the attacks target businesses and organizations running their own Microsoft Exchange servers. Hive provides codes to affiliates that takes advantage of known exploits which are often vulnerable to the attack. Once the attacker has infiltrated the system, they shut down security software, delete logs, encrypt the data, and leave a ransom note.

This is not the first time the FBI have taken down a large ransomware group. In 2021 they stopped REvil, who was responsible for leaking MacBook schematics and attacking the world’s largest meat supplier.

During the operation to defeat Hive, the FBI found over 1,000 encryption keys tied to previous victims. Only 20 percent of these victims had contacted the FBI for help. Many victims of ransomware attacks don’t contact authorities for help because they fear that cybercriminals will find out and hand out an even greater punishment.

Although the fear of getting caught is present, hackers still have the fuel they need to continue as they’re still achieving large paydays. With this said, the FBI is hopeful that more victims will come forward with information on attacks as they happen – which could assist in shutting more of these criminal organizations down.

“When a victim steps forward, it can make all the difference in recovering stolen funds or obtaining decryptor keys,” Monaco said.

Story via The Verge