FBI Dismantles Hive Ransomware Network From the Inside, Thwarting Over $130m in Ransom Demands

On January 26, 2023, the US Department of Justice (DOJ) announced the outcome of a months-long coordinated operation to dismantle the ransomware-as-a-service (RaaS) network, Hive. Having targeted more than 1,500 victims in over 80 countries, threat actors have previously used the network to target a wide range of businesses and vital infrastructure sectors, including government facilities, school districts, critical manufacturing, and public healthcare.  

In July 2022, the FBI infiltrated the criminal group’s computer networks and captured its decryption keys. Since then, over 300 decryption keys have been shared with Hive victims to prevent them from having to pay ransom demands. The FBI also distributed over 1,000 keys to previous victims. In total, the FBI’s infiltration has thwarted over $130 million being paid in demands. 

In coordination with German law enforcement and the Netherlands National High Tech Crime Unit, the DOJ announced that Hive’s servers and websites have finally been seized, preventing communication between Hive members and disrupting its ability to attack victims. 

Hive ransomware group

According to a joint Cybersecurity Advisory (CSA) issued by the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS), Hive threat actors have extorted over $100 million since June 2021. 

Since the network’s takedown, the State Department announced via Twitter that it is offering a $10 million bounty for any information about Hive’s possible involvement with foreign governments.

FBI disrupts the Dark Web site of the Hive ransomware group.

If you have information that links Hive or any other malicious cyber actors targeting U.S. critical infrastructure to a foreign government, send us your tip via our Tor tip line. You could be eligible for a reward. https://t.co/7Bqz0DUSCf pic.twitter.com/n8U3TNC7lh

— Rewards for Justice (@RFJ_USA) January 26, 2023

Over the last two years, the State Department also offered rewards of up to $15 million for information that could help locate members of the Sodinokibi (REvil), Conti, and DarkSide ransomware networks. The State Department offers these rewards through its Transnational Organized Crime Rewards Program (TOCRP), which has paid out over $135 million in rewards since 1986.

The International Counter Ransomware Initiative (CRI)

As reflected in our 2023 global compliance report, ransomware increased in scale and variety throughout 2022. According to FinCEN, compared to 2020, ransomware incidents in the second half of 2021 increased by more than 50 percent, with ransomware-related Bank Secrecy Act (BSA) filings hitting $1.2 billion.  

To enhance international cooperation to combat the growth of ransomware, the International Counter Ransomware Initiative (CRI) was formed in October 2021. The initiative unites over 30 partners to tackle ransomware through a coordinated and comprehensive approach to ransomware resilience, illicit finance, and public-private partnerships. 

The most recent summit of the CRI took place from October 31 to November 1, 2022, with discussions centering on the prevention of large-scale cyber attacks and money laundering via digital currencies. At the summit, the CRI’s goals for 2023 were established, one of which was to establish an International Counter Ransomware Task Force (ICRTF) to translate research, findings, and policy discussions into:

• Cyber threat intelligence exchanges
• Cross-sectoral tools
• Collective best practice guidance for countering ransomware

On January 23, the ICRTF was formally established and will henceforth be chaired by the Australian government.

Key takeaways

To combat the rising threat of ransomware, financial institutions must practice good cyber hygiene and boost their cyber defenses. Digital-native firms not yet operating Bug Bounty programs would do well to consider implementing them, alongside regularly-scheduled pen testing exercises.

Strong cybersecurity controls should be in place alongside business resiliency and continuity plans. Compliance staff should also ensure they are familiar with the ransomware trends and typologies identified by the Financial Crimes Enforcement Network (FinCEN) in its 2021 advisory, including:

• Extortion schemes
• Use of “fileless” ransomware
• Use of anonymity-enhanced cryptocurrencies (AECs)
• Unregistered convertible virtual currency (CVC) mixing services
• Ransomware criminals forming partnerships and sharing resources

The typologies identified by FinCEN should be built into firms’ anti-money laundering and combatting the financing of terrorism (AML/CFT) controls. Furthermore, when submitting a suspicious activity report (SAR) stemming from a potential ransomware threat, FinCEN requests that firms reference its 2021 advisory by including the key term “CYBERFIN-2021-A004” and selecting SAR field 42 (Cyber Event).