In what’s a case of hacking the hackers, the darknet infrastructure associated with the Hive ransomware-as-a-service (RaaS) operation has been seized as part of a coordinated law enforcement effort involving 13 countries.
“Law enforcement identified the decryption keys and shared them with many of the victims, helping them regain access to their data without paying the cybercriminals,” Europol said in a statement.
The U.S. Department of Justice (DoJ) said the Federal Bureau of Investigation (FBI) covertly infiltrated the Hive database servers in July 2022 and captured 336 decryption keys that were then handed over to companies compromised by the gang, effectively saving $130 million in ransom payments.
The FBI also distributed more than 1,000 additional decryption keys to previous Hive victims, the DoJ noted, stating the agency gained access to two dedicated servers and one virtual private server at a hosting provider in California that were leased using three email addresses belonging to Hive members.
Aside from the decryption keys, an examination of the data from the servers revealed information about 250 affiliates, who are parties recruited by the developers to identify and deploy the file-encrypting malware against victims in exchange for a cut of each successful ransom payment.
The U.S. Department of State, in a related announcement, said it’s offering rewards of up to $10 million for information that could help link the Hive ransomware group (or other threat actors) to foreign governments.
Hive, which sprang up in June 2021, has been a prolific cybercrime crew, launching attacks against 1,500 organizations in no less than 80 countries and netting it $100 million in illicit profits.
Targeted entities spanned a wide range of verticals, including government facilities, communications, critical manufacturing, information technology, and healthcare.
According to statistics collected by MalwareBytes, Hive claimed 11 victims in November 2022, placing it at the sixth spot behind Royal (45), LockBit (34), ALPHV (19), BianLian (16), and LV (16).
“Some Hive actors gained access to victim’s networks by using single factor logins via Remote Desktop Protocol, virtual private networks, and other remote network connection protocols,” Europol explained.
“In other cases, Hive actors bypassed multi-factor authentication and gained access by exploiting vulnerabilities. This enabled malicious cybercriminals to log in without a prompt for the user’s second authentication factor by changing the case of the username.”
The international operation consisted of authorities from Canada, France, Germany, Ireland, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden, the U.K., and the U.S.
If anything, the move is likely to cause a temporary disruption to Hive’s operations, forcing the group (tracked as Hive Spider) to establish new infrastructure should it intend to continue its criminal activity under the same moniker.
“The seizure of both the [dedicated leak site] and victim negotiation portal is a major setback to the adversary’s operations,” Adam Meyers, head of intelligence at CrowdStrike, said.
Read more: thehackernews.com