‘Hive’ Russian Ransomware Gang Shut Down by FBI, DoJ, Europol, Bundeskriminalamt, et al

The ransomware scrotes known as Hive got pwned this week. Their servers are no more.

Law enforcement agencies from several countries got together and took down the site. They also worked to decrypt victims’ data.

Six months of secret work has paid off, we’re told. In today’s SB Blogwatch, мы заняты пчелы.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Gabber marginalia.

Site Seized; Russians Riled

What’s the craic? Jenna McLaughlin reports—“FBI says it ‘hacked the hackers’”:

Saved over $130 million in ransom payments
The Department of Justice … announced the destruction of the Russian-linked Hive ransomware group. … The criminal syndicate … received more than $100 million in profits from victims who paid to get their data back or prevent it from being leaked.

Hive targeted more than 1,500 victims in over 80 countries … crippling businesses and harming critical infrastructure. … The FBI says it hacked into Hive’s networks in July 2022 … to spy on the group’s operations and gather important intelligence.

The Justice Department claims the intervention saved over $130 million in ransom payments. … On Wednesday evening, the leak site was replaced with a banner from the international group of law enforcement agencies announcing the seizure.

Where were the servers? Let’s turn to Carly Page—“US announces it seized Hive ransomware gang’s leak sites”:

Servers located in Los Angeles
The FBI confirmed … it had access to Hive’s computer network since July 2022, allowing federal agents to capture and offer Hive’s decryption keys to victims worldwide. Since its takeover, the FBI has helped at least 336 victims of the Hive ransomware.

The FBI has also begun dismantling Hive’s front- and back-end infrastructure in the U.S. and abroad, which included the seizure of two of Hive’s back-end servers located in Los Angeles. [But] no arrests or indictments were announced.

Wait, what? Black Label1 sounds doubtful:

Infrastructure hosted in Los Angeles? Seriously?

A Russian ransomware gang hosting servers in Los Angeles? … If it was really a Russian op, expect infrastructure to come back online in 3, 2, 1 …

But the U.S. isn’t saying “Russia” out loud. Sergiu Gatlan subtends the other angle—“US offers $10M bounty for Hive ransomware links to foreign governments”:

Transnational Organized Crime Rewards Program
The U.S. Department of State today offered up to $10 million for information that could help link the Hive ransomware group (or other threat actors) with foreign governments. … This offer comes after Hive ransomware’s Tor websites were seized today as part of an international law enforcement operation.

During the last two years, the State Department also offered rewards of up to $15 million for tips that could help locate members of the Conti, REvil (Sodinokibi), and Darkside ransomware operations. The State Department offers these rewards as part of its Transnational Organized Crime Rewards Program (TOCRP), through which over $135 million in rewards have been paid since 1986.

Can you smell that? u/xn0px90 can:

Hummmm. No arrest. It smells like they have an informant. If they went that far within their network and monitored and assisted in prevention before they asked for cash, I bet there’s more to this investigation.

It’s not the first time they’ve used an undercover CIA/FBI asset to trick criminals into crossing a border for a better future. … Going to keep an eye on this one.

However, iAmWaySmarterThanYou is way smarter than you: [You’re fired—Ed.]

Shutdown but no arrests? Uh, I hope that means arrests made but just not announced yet. Otherwise those guys are gone—never to be seen again.

Or is the glass half full? u/Cortesr7324 is bullish:

$130 million payments is effective. **** yeah, let’s keep going on the offensive, shall we? Maybe we can actually stop looking like victims and look more like an authoritative agency. Intimidation is key.

Of course, the encryption is only half of the ransom threat. rapjr wants to know, “What happened to the data?”

Did they intervene and/or shut down the servers before or after the criminals stole the data? Even if they recover the key and the company can decrypt their data, the data might still have been stolen and could be released or used for further blackmail.

[Or] did they stop the encryption from happening in the first place? The announcement is vague. … If the data theft was not prevented then companies still have an incentive to pay the ransom.

Meanwhile, that one in the corner misreads the story but rolls with it:

Hive? Anyone else see the headline and hope to find that the FBI had cracked down on those IoT thugs? You paid all that money and now the cameras don’t work; your living room heating will be next to go.

And Finally:

Hardcore—you know the score

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 618 posts and counting.See all posts by richi