Ransomware, Threat Management

FBI’s ransomware takedown: one Hive down, a colony to go

FBI Hive Takedown

In October 2020, our frustration over the ransomware problem peaked. During the months prior, we had begun a daily routine of waking up before the sun rose to comb through the most recent malware logs, looking for a new list of potential ransomware victims to try and warn before the attacker struck. We didn’t always succeed, but at a time where it felt like nothing else was being done, it was better than sitting idly. That month, the U.S. government issued a warning about an impending, large-scale ransomware attack against U.S. hospitals and healthcare providers. Simultaneously, Mandiant was in the midst of responding to the greatest number of ransomware intrusions it had seen to date. And the actors behind TrickBot were quickly rebounding after a takedown attempt.

Two years later, not much has changed. Although the number of attacks has seemingly reached a sustainment level, ransomware and its supporting ecosystem remain strong. Moreover, threat actors continue to target hospitals and other critical infrastructure. This all continues despite notable, public actions aimed at disrupting and imposing cost on the actors behind these operations. These efforts include the seizure of funds tied to Darkside, sanctions against cryptocurrency exchanges, and multiple arrests.

Most recently, the FBI announced on January 26 that they had been secretly monitoring and had taken down private servers associated with the Hive ransomware operation. This was welcome news. Hive originally crossed our radar a year earlier in July 2021. Less than two months after overt ransomware advertisements were banned on prominent underground forums, a Russian-speaking actor casually posted an ad seeking experienced “pentesters” (i.e. intrusion operators) to deploy a new ransomware identified as Hive. These partners were offered 85% of any ransom payments from victims in exchange for deploying the ransomware. Over the course of the next 18 months, the overall Hive operation would grow, reportedly receiving $100 million in payments and impacting over 1,300 companies worldwide. The FBI’s operation may have notably stymied over $130 million in additional ransom payments to Hive. Beyond taking down the servers used by the Hive operators, the FBI was also secretly providing decryption keys to hundreds of Hive victims after initially gaining access to Hive’s networks in July 2022; alleviating victims from having to make the tough decision of whether to pay for a decrypter to get their operations back online much sooner.

Unfortunately, while the recent operation against Hive was significant, the cybercrime ecosystem remains resilient. Hive was only one of many ransomware brands active at the time of its takedown. Judging by victim counts on data leak shaming sites, it didn’t even cross the top five mark in terms of activity over the last quarter. The top brands – such as LockBit, Royal, and Alphv – remain active today. Even if Hive isn’t reborn, Hive affiliates can simply adapt and establish new partnerships with one of the many existing operations. Newer brands may also benefit from Hive’s absence by offering more favorable rates (i.e. higher percentages of ransom payments) in comparison to long-standing competitors to attract new affiliates. 

We consider the most recent disruption a step forward. Making measurable progress against ransomware has been challenging, as new ransomware families are constantly emerging. Simultaneously, threat actors often adapt and overcome setbacks, and some of the most prolific actors operate with impunity. The actions against Hive do serve as a reminder; however, that there are other levers that authorities can pull to disincentive these operations, beyond waiting for someone to cross a border where they can apprehend or publicly name them. This may never happen, and it doesn’t serve today’s victims, but the disruption of Hive serves as one example of how we can at least temporarily disrupt the massive profits made by criminals – the primary motivator of most ransomware actors. Despite limited impacts, it was a fight that needed fighting, and scaling efforts such as this could have broader, sustaining impact across the ransomware ecosystem. That will certainly require collaboration, not just among domestic and foreign government entities, but also the private sector. Until then, we’ll continue to work behind the scenes to save whomever we can, no matter how tired we are.

Kimberly Goody, head of Mandiant Cybercrime Analysis, Google Cloud

Kimberly Goody

Kimberly is Head of Mandiant Cybercrime Analysis, Google Cloud where she focuses on various financially motivated cyber threats.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.