The FBI has at least temporarily dismantled the network of a prolific ransomware gang it infiltrated last year, saving victims including hospitals and school districts a potential $130 million in ransom payments, Attorney General Merrick Garland and other U.S. officials announced Thursday.
“Simply put, using lawful means we hacked the hackers,” Deputy Attorney General Lisa Monaco said at a news conference.
Officials said the targeted syndicate, known as Hive, operates one of the world’s top five ransomware networks. The FBI quietly gained access to its control panel in July and was able to obtain software keys to decrypt the network of some 1,300 victims globally, said FBI Director Christopher Wray. Officials credited German police and other international partners.
It was not immediately clear how the takedown will affect Hive’s long-term operations, however. Officials did not announce any arrests but said they were building a map of Hive’s administrators, who manage the software, and affiliates, who infect targets and negotiate with victims, to pursue prosecutions.
“I think anyone involved with Hive should be concerned because this investigation is ongoing,” Wray said.
On Wednesday night, FBI agents seized computer infrastructure in Los Angeles that was used to support the network. Hive’s dark web site was also seized.
“Cybercrime is a constantly evolving threat, but as I have said before, the Justice Department will spare no resource to bring to justice anyone anywhere that targets the United States with a ransomware attack,” Wray said.
Garland said that thanks to the infiltration, led by the FBI’s Tampa office, agents were able in one instance to disrupt a Hive attack against a Texas school district, stopping it from making a $5 million payment.
The operation is a big win for the Justice Department. The ransomware scourge is the world’s biggest cybercrime headache with everything from Britain’s postal service and Ireland’s national health service to Costa Rica’s government crippled by Russian-speaking syndicates that enjoy Kremlin protection. The criminals lock up, or encrypt, victims’ computer networks, steal sensitive data and demand large sums.
As an example of Hive’s threat, Garland said it had prevented a hospital in the Midwest in 2021 from accepting new patients at the height of the COVID-19 epidemic.
A U.S. government advisory last year said Hive ransomware actors victimized over 1,300 companies worldwide from June 2021 through November 2022, receiving approximately $100 million in ransom payments. It said criminals using Hive ransomware targeted a wide range of businesses and critical infrastructure, including government, manufacturing and especially health care and public health facilities.
The threat captured the attention of the highest levels of the Biden administration two years ago after a series of high-profile attacks that threatened critical infrastructure and global industry. In May 2021, for instance, hackers targeted the nation’s largest fuel pipeline, causing the operators to briefly shut it down and make a multimillion-dollar ransom payment that the U.S. government largely recovered.
Federal officials have used a variety of tools to try to combat the problem, but conventional law enforcement measures such as arrests and prosecutions have done little to frustrate the criminals.
The FBI has obtained access to decryption keys before. It did so in the case of a major 2021 ransomware attack on Kaseya, a company whose software runs hundreds of websites. It took some heat, however, for waiting several weeks to help victims unlock afflicted networks.
Learn how to navigate and strengthen trust in your business with The Trust Factor, a weekly newsletter examining what leaders need to succeed. Sign up here.