WASHINGTON — The FBI and international partners have at least temporarily disrupted the network of a major extortion gang they infiltrated last year, saving victims including hospitals and school districts with liquidity. The potential ransom payment is $130 million, Attorney General Merrick Garland and other US officials announced Thursday.
“Simply put, by using legitimate means we attacked the hackers,” Deputy Attorney General Lisa Monaco said at a news conference.
Officials say the targeted organization, known as Hive, operates one of the world’s top five ransomware networks and heavily targets hospitals and healthcare providers. other healthy. FBI Director Christopher Wray said the FBI quietly gained access to its control panel in July and was able to obtain software keys to decrypt the networks of about 1,300 victims globally. Officials noted German police and other international partners.
Related: Healthcare providers are the new front in the cybersecurity war
However, it remains unclear how the takedown will affect Hive’s long-term performance. Officials did not announce any arrests but said they were mapping Hive administrators, software and affiliate managers who infected targets and negotiating with victims, to pursue prosecutions.
“I think anyone involved with Hive should be concerned because this investigation is ongoing,” Wray said.
On Wednesday night, FBI agents seized computer infrastructure in Los Angeles used to support the network. Two Hive dark web sites were seized: one used to leak data of non-paying victims, the other used to negotiate extortion payments.
“Cybercrime is an ever-evolving threat, but as I said before, the Department of Justice will spare no effort to bring to justice anyone anywhere targeting the United States,” Garland said. with a ransomware attack,” Garland said.
Garland says that thanks to an infiltration led by the FBI’s Tampa office, in one case, agents were able to thwart a Hive attack on a Texas school district, stopping the district. make a payment of 5 million dollars.
This operation is a huge win for the Department of Justice. The ransomware scourge is the world’s biggest cybercriminal headache with everything from Britain’s postal service and Ireland’s national health service to the government of Costa Rica being crippled by say corporations. Russian enjoys the protection of the Kremlin.
Criminals lock or encrypt the victim’s computer network, steal sensitive data, and demand large amounts of money. Extortion schemes have evolved to the point where data is stolen before the ransomware is effectively activated and taken hostage. Payment in cryptocurrency or public release criminals.
Using Hive’s threat as an example, Garland said it stopped a Midwest hospital in 2021 from accepting new patients at the height of the COVID-19 outbreak.
Not a Modern Healthcare subscriber? Sign up today.
The online takedown notice, alternating in English and Russian, refers to Europol and its German partners in this effort. German news agency dpa quoted the prosecutor’s office in Stuttgart as saying that cyber experts in the southwestern town of Esslingen decided to infiltrate Hive’s criminal IT infrastructure after a local company became a victim. core.
In a statement, Europol said companies in more than 80 countries, including oil multinationals, had been compromised by Hive. It said Europol supported cryptocurrency, malware and other analysis, and that law enforcement agencies from 13 countries were involved in the effort.
A US government adviser last year said that Hive ransomware attackers fell victim to more than 1,300 companies worldwide between June 2021 and November 2022, receiving an estimated $100 million. la ransom. It said criminals using Hive’s ransomware-as-a-service tools have targeted multiple businesses and critical infrastructure, including government, manufacturing and especially facilities health care and public health.
Although the FBI has provided decryption keys to about 1,300 victims around the world, Wray said only about 20% report potential problems to law enforcement.
“Here, fortunately, we are able to identify and help many unreported victims. But not always,” Wray said. “When victims report attacks to us, we can also help them and others.”
In some cases, cybersecurity experts say, victims quietly pay the ransom without notifying authorities — and even when they can quickly restore their networks — because criminals have stealing files that could seriously harm them if leaked online, such as information that could be used in identity theft.
John Hultquist, head of threat intelligence at cybersecurity firm Mandiant, said the Hive disruption won’t cause a major drop in ransomware activity overall but nonetheless is also “a blow to a dangerous group”.
“Unfortunately, the crime market at the heart of the ransomware problem ensures that Hive’s competitors will be willing to offer the same service in their absence, but they might think twice before allowing it. Its ransomware is used to target hospitals,” Hultquist said.
But Brett Callow, an analyst with cybersecurity firm Emsisoft, said the operation has the potential to undermine ransomware scammers’ confidence in the very profitable but low-risk business.
“Information collected may indicate affiliates, money launderers and others involved in the ransomware supply chain,” Callow said.
And analyst Allan Liska of cybersecurity firm Recorded Future said the operation shows that “law enforcement’s multi-pronged strategy of arrest, punishment, seizure and more is at work to slow down ransomware attacks.” He predicts it will lead to indictments, if not actual arrests, in the next few months.
The ransomware threat came to the attention of the highest levels of the Biden administration two years ago after a series of well-known attacks that threatened critical infrastructure and global industry. For instance, in May 2021, hackers targeted the nation’s largest fuel pipeline, prompting operators to briefly shut down the pipeline and make ransom payments. worth of millions of dollars that the US government recovered most of.
Federal officials have used a variety of tools to try to solve the problem, but common law enforcement measures like arrests and prosecutions have hardly deterred criminals.
The FBI gained access to the decryption keys before. It did so in the event of a major ransomware attack in 2021 against Kaseya, a company whose software runs hundreds of websites. However, it takes several weeks to help victims unlock the affected networks.
Download Modern Healthcare’s app to stay informed when there’s breaking industry news.
