Security News

The FBI has revealed the results of a month-long campaign designed to thwart an infamous ransomware group known for extorting hospitals, school districts and critical infrastructure. Since the FBI's campaign started, more than 300 decryption keys have been given to Hive victims under attack, while more than 1,000 were provided to victims of the gang's previous attacks.

The U.S. Department of State today offered up to $10 million for information that could help link the Hive ransomware group with foreign governments. "If you have information that links Hive or any other malicious cyber actors targeting U.S. critical infrastructure to a foreign government, send us your tip via our Tor tip line. You could be eligible for a reward," the State Department's Rewards for Justice Twitter account said.

The FBI said it has shut down the Hive's ransomware network, seizing control of the notorious gang's servers and websites, and thwarting the pesky criminals' ability to sting future victims. The takedown, which happened Wednesday night, was the culmination of a seven-month covert operation during which the FBI hacked Hive's network and used that access to provide decryption keys to more than 300 victims, saving them $130 million in ransomware payments, we're told.

Europol supported the German, Dutch and US authorities in taking down the infrastructure of the prolific HIVE ransomware.In the last year, HIVE ransomware has been identified as a major threat as it has been used to compromise and encrypt the data and computer systems of large IT and oil multinationals in the EU and the USA. Since June 2021, over 1 500 companies from over 80 countries worldwide have fallen victim to HIVE associates and lost almost EUR 100 million in ransom payments.

The infrastructure associated with the Hive ransomware-as-a-service operation has been seized as part of a coordinated law enforcement effort involving 13 countries. "Law enforcement identified the decryption keys and shared them with many of the victims, helping them regain access to their data without paying the cybercriminals," Europol said in a statement.

The Hive ransomware operation's Tor payment and data leak sites were seized as part of an international law enforcement operation after the FBI infiltrated the gang's infrastructure last July. Today, the US Department of Justice and Europol announced that an international law enforcement operation secretly infiltrated the Hive ransomware gang's infrastructure in July 2022, when they secretly began monitoring the operation for five months.

Today, the Hive ransomware Tor payment and data leak sites were seized as part of an international law enforcement operation involving the US Department of Justice, FBI, Secret Service, Europol, and Germany's BKA and Polizei. The seizure notice on the Tor sites also lists a wide range of other countries involved in the law enforcement operation, including Canda, France, Lithuania, Netherlands, Norway, Portugal, Romania, Spain, Sweden, and the United Kingdom.

Unidentified threat actors have deployed a new backdoor that borrows its features from the U.S. Central Intelligence Agency's Hive multi-platform malware suite, the source code of which was released by WikiLeaks in November 2017. "This is the first time we caught a variant of the CIA Hive attack kit in the wild, and we named it xdr33 based on its embedded Bot-side certificate CN=xdr33," Qihoo Netlab 360's Alex Turing and Hui Wang said in a technical write-up published last week.

Hive ransomware criminals have hit more than 1,300 companies globally, extorting about $100 million from its victims over the last 18 months, according to the FBI. While Hive has only been around since June 2021, the ransomware-as-a-service operator has been extremely prolific in its relatively short existence, and taken an intense liking to critical infrastructure and hospitals, where locked IT systems can literally be a matter of life and death. While the initial intrusion will depend on which Hive affiliate is carrying out the attack, the criminals have broken into networks using stolen single-factor RDP logins, virtual private networks and other remote network connection protocols, according to the agencies.

The threat actors behind the Hive ransomware-as-a-service scheme have launched attacks against over 1,300 companies across the world, netting the gang $100 million in illicit payments as of November 2022."Hive ransomware has targeted a wide range of businesses and critical infrastructure sectors, including government facilities, communications, critical manufacturing, information technology, and - especially - Healthcare and Public Health," U.S. cybersecurity and intelligence authorities said in an alert.