FBI takes down ransomware group that targeted hospitals, schools

The FBI and other organizations have disabled a ransomware gang known as Hive, saving affected groups from having to pay millions of dollars in ransom money. This achievement marks the latest global victory against cybercrime.

|
Jose Juis Magana/AP
Deputy Attorney General Lisa Monaco (center) speaks at a conference announcing a ransomware enforcement action at the Justice Department in Washington, Jan. 26, 2023. The FBI has seized the website of a ransomware gang that has targeted hospitals and school districts.

The FBI and international partners have at least temporarily disrupted the network of a prolific ransomware gang they infiltrated last year, saving victims including hospitals and school districts a potential $130 million in ransom payments, Attorney General Merrick Garland and other U.S. officials announced Thursday.

“Simply put, using lawful means we hacked the hackers,” Deputy Attorney General Lisa Monaco said at a news conference.

Officials said the targeted syndicate, known as Hive, is among the world’s top five ransomware networks and has heavily targeted health care. The FBI quietly accessed its control panel in July and was able to obtain software keys it used with German and other partners to decrypt networks of some 1,300 victims globally, said FBI Director Christopher Wray.

How the takedown will affect Hive’s long-term operations is unclear. Officials announced no arrests but said, to pursue prosecutions, they were building a map of the administrators who manage the software and the affiliates who infect targets and negotiate with victims.

“I think anyone involved with Hive should be concerned because this investigation is ongoing,” Mr. Wray said.

On Wednesday night, FBI agents seized computer servers in Los Angeles used to support the network. Two Hive dark web sites were seized: one used for leaking data of nonpaying victims, the other for negotiating extortion payments.

“Cybercrime is a constantly evolving threat, but as I have said before, the Justice Department will spare no resource to bring to justice anyone anywhere that targets the United States with a ransomware attack,” Mr. Garland said.

He said the infiltration, led by the FBI’s Tampa office, allowed agents in one instance to disrupt a Hive attack against a Texas school district, stopping it from making a $5 million payment.

It’s a big win for the Justice Department. Ransomware is the world’s biggest cybercrime headache with everything from Britain’s postal service and Ireland’s national health network to Costa Rica’s government crippled by Russian-speaking syndicates that enjoy Kremlin protection.

The criminals lock up, or encrypt, victims’ networks, steal sensitive data, and demand large sums. Their extortion has evolved to where data is pilfered before ransomware is activated, then effectively held hostage. Pay up in cryptocurrency or it is released publicly.

As an example of a Hive sting, Mr. Garland said it kept one Midwestern hospital in 2021 from accepting new patients at the height of the COVID-19 pandemic.

The online takedown notice, alternating in English and Russian, mentions Europol and German law enforcement partners. The German news agency dpa quoted prosecutors in Stuttgart as saying cyber specialists in the southwestern town of Esslingen were decisive in penetrating Hive’s criminal IT infrastructure after a local company was victimized.

In a statement, Europol said companies in more than 80 countries, including oil multinationals, have been compromised by Hive and that law enforcement from 13 countries was in on the infiltration.

A U.S. government advisory last year said Hive ransomware actors victimized over 1,300 companies worldwide from June 2021 through November 2022, netting about $100 million in payments. Criminals using Hive’s ransomware-as-a-service tools targeted a wide range of businesses and critical infrastructure, including government, manufacturing, and especially health care.

Though the FBI offered decryption keys to some 1,300 victims globally, Wray said only about 20% reported potential issues to law enforcement.

“Here, fortunately, we were still able to identify and help many victims who didn’t report. But that is not always the case,” Mr. Wray said. “When victims report attacks to us, we can help them and others, too.”

Victims sometimes quietly pay ransoms without notifying authorities – even if they’ve quickly restored networks – because the data stolen from them could be extremely damaging to them if leaked online. Identity theft is among the risks.

John Hultquist, the head of threat intelligence at the cybersecurity firm Mandiant, said the Hive disruption won’t cause a major drop in overall ransomware activity but is nonetheless “a blow to a dangerous group.”

“Unfortunately, the criminal marketplace at the heart of the ransomware problem ensures a Hive competitor will be standing by to offer a similar service in their absence, but they may think twice before allowing their ransomware to be used to target hospitals,” Mr. Hultquist said.

But analyst Brett Callow with the cybersecurity firm Emsisoft said the operation is apt to lessen ransomware crooks’ confidence in what has been a very high reward-low risk business. “The information collected may point to affiliates, launderers and others involved in the ransomware supply chain.”

Allan Liska, an analyst with Recorded Future, another cybersecurity outfit, predicted indictments, if not actual arrests, in the next few months.

There are few positive indicators in the global fight against ransomware, but here’s one: An analysis of cryptocurrency transactions by the firm Chainalysis found ransomware extortion payments were down last year. It tracked payments of at least $456.8 million, down from $765.6 million in 2021. While Chainalysis said the true totals are certainly much higher, payments were clearly down. That suggests more victims are refusing to pay.

The Biden administration got serious about ransomware at its highest levels two years ago after a series of high-profile attacks threatened critical infrastructure and global industry. In May 2021, for instance, hackers targeted the nation’s largest fuel pipeline, causing the operators to briefly shut it down and make a multimillion-dollar ransom payment, which the U.S. government later largely recovered.

A global task force involving 37 nations began work this week. It is led by Australia, which has been particularly hard-hit by ransomware, including a major medical insurer and telecom. Conventional law enforcement measures such as arrests and prosecutions have done little to frustrate the criminals. Australia’s interior minister, Clare O’Neil, said in November that her government was going on the offense, using cyber-intelligence and police agents to “find these people, hunt them down and debilitate them before they can attack our country.”

The FBI has obtained access to decryption keys before. It did so in the case of a major 2021 ransomware attack on Kaseya, a company whose software runs hundreds of websites. It took some heat, however, for waiting several weeks to help victims unlock afflicted networks.

This story was reported by The Associated Press. Frank Bajak reported from Boston. AP writer Kirsten Grieshaber in Berlin contributed.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to FBI takes down ransomware group that targeted hospitals, schools
Read this article in
https://www.csmonitor.com/USA/2023/0127/FBI-takes-down-ransomware-group-that-targeted-hospitals-schools
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe