Breaking-free from the Hive
On January 26, 2023, the Department of Justice announced its successful “months-long disruption campaign” against a ransomware group known as Hive, signaling the United States’ increased efforts to combat ransomware attacks and the groups responsible for them.
Ransomware is a type of malware that both encrypts a computer’s data (making the data inaccessible) and demands a ransom in exchange for a decryption key. Recent incidents have shown just how devastating ransomware attacks can be. A 2021 ransomware attack, for instance, shut down a major U.S. fuel pipeline carrying 45% of the East Coast’s fuel supply; the pipeline was shut down for six days, shortages caused gas prices to spike, and President Biden declared a state of emergency. As discussed in a prior post, the Biden Administration has made cybersecurity a priority. In January 2022, the White House issued a memorandum to federal agencies designed to strengthen the cyber defenses of “National Security Systems.” Two months later, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”), which, as its name suggests, requires covered critical infrastructure entities to report cyber incidents within 72 hours. These are welcome developments, given that ransomware attacks “surged dramatically” in 2022, and on average cost victim organizations $4.5 million per attack (with the average ransom payment reaching over $800,000).
The government’s success against Hive is yet another promising sign in its fight against ransomware attacks. Hive specifically targeted hospitals, school districts, and other organizations with its ransomware using a well-known technique called the “double-extortion” model. The group would first gain access to victims’ computer networks through “phishing” emails with ransomware attached, among other methods. After deploying the ransomware, Hive would exfiltrate sensitive data from those networks and demand payment for a decryption key in order to prevent the stolen information from being published.
However, since July 2022, the Federal Bureau of Investigation (“FBI”) has turned the tables by infiltrating Hive’s own computer networks, allowing it to send decryption keys to Hive’s victims without them needing to pay any ransom. This spared victims an estimated $130 million in ransom payments. Additionally, with the help of German and Dutch authorities, the Justice Department was able to seize servers and dark web sites that Hive used to coordinate its attacks and publish pilfered data. Commenting on the operation’s success, FBI Director Christopher Wray promised that the government “will continue to leverage [its] intelligence and law enforcement tools, global presence, and partnerships to counter cybercriminals who target American business and organizations.”
The Justice Department noted that it would continue its investigation, and was still pursuing the individuals behind Hive. Although ransomware attacks will continue, the government’s success in infiltrating Hive and seizing its operations is a promising sign in the fight against cybercrime.
We will continue to follow efforts by the government to combat ransomware and other cybercriminal attacks and report on them here.