FBI shuts down ransomware gang that targeted schools and hospitals

The FBI and law enforcement in Europe have shut down a major ransomware operation accused of extorting more than $100 million from organizations across the world by encrypting victims’ computer systems and demanding payments to provide a key to unlock them, U.S. officials said Thursday.

Attorney General Merrick Garland said the ransomware group called Hive attacked hospitals, school districts, financial firms and others, stealing and sometimes publishing their data. Like some other prolific groups, Hive partnered with independent hackers who broke in through phishing or other means: The gang provided the encryption program and ransomware negotiations, and split the profits with the hackers.

In one August 2021 case, a nonprofit Ohio network of hospitals had to cancel urgent surgeries as its staff moved to paper charts. Other victims included a Florida heavy machinery company that had to shut down temporarily, multiple law firms, and a New Jersey tech company whose customers had their data stolen, according to an FBI affidavit.

Garland, FBI Director Christopher A. Wray and their top deputies described the dismantling of Hive as a major victory in the government’s efforts to fight ransomware with novel methods. Law enforcement was able to hack Hive and infiltrate its networks for seven months, officials said, stealing the decryption keys and quietly giving them to 336 victims before taking full control of Hive servers in the United States and Europe, knocking them offline and preventing new infections.

U.S. officials credited German and Dutch authorities and Europol for helping in the case. German police and prosecutors said in a statement that they were able to penetrate the hackers’ technology infrastructure as they investigated an attack on a company in southern Germany. They said they succeeded because victims didn’t pay the ransom and instead filed charges with the police.

Only about 20 percent of Hive’s U.S. victims notified authorities, Wray said, but the FBI could identify others from the infrastructure and worked to help them as well. At times, it was able to contact victim organizations, including one university, before the encryption had been deployed.

Officials said they have not made any arrests, and they did not say they had seized any proceeds from the ransoms, but the investigation is continuing.

“Cybercrime is a constantly evolving threat,” Garland said. “But as I have said before, the Justice Department will spare no resource to identify and bring to justice anyone, anywhere, who targets the United States with a ransomware attack.”

Officials have in the past recovered some ransom to other gangs or retrieved decryption keys, Wray said, but have never before been able to help so many victims for so long.

Hive ransomware was first detected in June 2021. It rapidly became one of the most active ransom networks in the United States, notable for attacking sensitive organizations that many rival gangs avoided.

Hive’s approach included what has been termed “double extortion,” in that it would charge a fee to release a decryption key so that targets could recover access to their data and would also charge not to publish patient information and other critical data on a site dedicated to such leaks that has now been shut down.

By the number of publicly listed targets, Hive ranked among the top 10 most prolific actors, researchers said, with about half of its victims in the United States.

Officials said that the FBI and its law enforcement allies have been helping victims regain access to their files without paying the ransoms since July 2022, saving more than $130 million in payments.

“We hacked the hackers,” Deputy Attorney General Lisa Monaco said. “We turned the table on Hive.”

Researchers said Hive’s gang included veterans of one of the most notorious Russian-speaking ransomware gangs, Conti. Conti splintered after a Ukrainian member leaked internal chats that revealed leaders bragged of contacts with Russia’s Federal Security Service (FSB).

“That doesn’t necessarily mean they were controlled by the Russian government,” said Allan Liska, intelligence analyst at security company Recorded Future. “But most of these groups headquartered in Russia at least operate with the tacit approval of the Russian government and likely have these loose government contacts.”

Hive’s public but “dark Web” site, unreachable by regular internet browsers, showed that it had been seized, and its back-end servers were also unreachable Thursday, Liska said, essentially putting it out of business.

Other gangs have been able to move to new infrastructure and regroup in the past, however, and that could happen with Hive as well.

“Actions like this add friction to ransomware operations. Hive may have to regroup, retool, and even rebrand,’: said John Hultquist, head of Mandiant Threat Intelligence at Google. ‘When arrests aren’t possible, we’ll have to focus on tactical solutions and better defense. Until we can address the Russian safe haven and the resilient cybercrime marketplace, this will have to be our focus.”