FBI shuts down servers, website tied to notorious ransomware gang
The Department of Justice announced Thursday it has seized the computer servers and dark web sites associated with a prolific ransomware gang that's targeted U.S. hospitals, schools and other critical infrastructure.
Driving the news: Members of the Hive ransomware gang put a notice on its website earlier today claiming the DOJ, FBI, U.S. Secret Service and international law enforcement seized their sites last night.
- Attorney General Merrick Garland said agents at the FBI Tampa field office gained access to Hive's ransomware infrastructure last July, which gave them the ability to sneak around their networks to find the information needed to shut down the gang.
- In the months it took to seek out that information, the FBI was able to hand out decryption keys to unlock any systems the ransomware gang targeted to victims, Garland said.
Why it matters: Today's actions mark one of the most sophisticated and detrimental moves from U.S. law enforcement against a ransomware gang.
- Only a small number of publicly reported cases have resulted in the U.S. law enforcement or military being able to hand out decryption keys or shut down online infrastructure.
- Previously, agents have kept these operations under wraps for months or years.
The big picture: DOJ estimates that the Hive ransomware gang has targeted more than 1,500 companies in over 80 countries — netting more than $100 million in ransom payments.
- Hive used a double-extortion model: It demanded a payment in bitcoin from victims both to decrypt their systems and to prevent the leak of any sensitive data Hive stole before starting its attack.
Zoom out: Ransomware has been a top law enforcement priority in recent years — catapulting after the 2021 ransomware attack on Colonial Pipeline that led to a days-long shutdown.
- Yet, government officials have warned that the ransomware problem is only getting worse, despite the resources poured into solving it.
Details: The FBI provided over 300 decryption keys to victims who were actively under attack — which helped victims avoid paying more than $130 million in ransom to Hive.
- In one example, the FBI helped a Louisiana hospital avoid paying a $3 million ransom last year, Garland said.
- FBI agents also distributed more than 1,000 decryption keys to previous Hive victims.
- Under a court order, the FBI was able to seize two backend servers located in Los Angeles that Hive used to support its services. Garland added that the FBI and its international partners have also begun dismantling additional Hive infrastructure in the U.S. and abroad.
What they're saying: "We've made it clear that we will strike back against cybercrime by any means possible, and today's action reflects that strategy," said deputy attorney general Lisa Monaco.
The intrigue: FBI Director Christopher Wray estimated that only 20% of Hive's victims had reported the attack to law enforcement.
- The low estimate underscores the interest and urgency in establishing new mandatory cyber incident reporting laws in the U.S.
What's next: Wray said the investigation into Hive is still ongoing.
- It's possible new actions could come as the FBI further investigates the gang's crypto transactions and hunt down affiliated hackers for arrests.