News

Government Agencies 'Dismantle' Hive Ransomware Operations

• By Kurt Mackie
• 01/26/2023

The U.S. Department of Justice announced on Thursday that the Hive ransomware group's international network has been "dismantled."

The shutdown effort, which involved working with international law enforcement partners, was said to have disrupted the computer networks used by the Hive ransomware group. Moreover, decryption keys were distributed to the group's victims so that they wouldn't pay a ransom fee and could recover encrypted data.

The Hive group tries to extract money both by threatening to expose a victim's sensitive data (extortion) and by encrypting the victim's data and then offering a decryption key for a ransom fee. Hive follows a "ransomware-as-a-service (RaaS) model" in which they create ransomware for affiliates to use against a victim in exchange for a percentage of the profits (about 20 percent, according to the Justice Department).

The announcement didn't mention whether any arrests were made. However, the Hive group's servers used to communicate with other members were seized by German and Dutch police agencies. That action was described as "disrupting Hive's ability to attack and extort victims."

"While this is definitely a win, this is by no means the end of ransomware," commented Jordan LaRose, practice director for Infrastructure Security at NCC Group, via e-mail. "We have already seen a reemergence from REvil, and Hive will likely follow suit in some form."

Before the disruption, the Hive group had "targeted more than 1,500 victims in over 80 countries around the world, including hospitals, school districts, financial firms, and critical infrastructure," the Justice Department indicated.

The U.S. Federal Bureau of Investigation (FBI) was able to infiltrate the Hive group's computer networks, which had been in effect "since late July 2022." By that method, the decryption keys were obtained. The FBI action was said to have thwarted "$130 million in ransom demanded."

The Hive group's ransomware attacks used Remote Desktop Protocol and virtual private networks and other remote connection protocols that used "single-factor logins," the Justice Department explained. The Hive group's attack methods are further explained in this November joint Cybersecurity Advisory published by the Cybersecurity and Infrastructure Security Agency (CISA).

According to that Cybersecurity Advisory, the Hive group's initial access to victim networks was carried out by phishing attacks. The group also typically leveraged common vulnerabilities and exposures in Microsoft Exchange Server that Microsoft had issued patches for back in 2021.

Microsoft Appeals to IT Pros
Coincidentally, the Microsoft Exchange team issued an announcement on Thursday exhorting IT pros maintaining Exchange Server implementations to keep their servers patched with the latest cumulative updates and security updates.

"Attackers looking to exploit unpatched Exchange servers are not going to go away," the Exchange team stated. "There are too many aspects of unpatched on-premises Exchange environments that are valuable to bad actors looking to exfiltrate data or commit other malicious acts."

Exchange Server exploits can give attackers access to sensitive mailbox data, plus a copy of the organization's address book for use in social engineering attacks. An exploited Exchange Server can also give attackers "deep hooks into and permissions within Active Directory," the team added.

Exchange Server upkeep typically involves running manual tasks, and IT pros can use Microsoft's Health Checker to find them. "After installing an update, there may be manual tasks that an admin needs to perform, so always run Health Checker after installing an update to check for such tasks," the team advised.

Microsoft is actually soliciting feedback from IT pros about its cumulative update and security update process for Exchange Server. The survey can be found here.

Ransomware Stats
Ransomware success actually declined last year by about 40.3 percent, according to a report by Chainalysis, a company that investigates cybersecurity breaches and stolen cryptocurrency funds. In 2022, $456.8 million was extorted by ransomware attackers, which is down from $765.6 million extorted in 2021.

Ransomware attacks weren't on the decline, though. "Instead, we believe that much of the decline is due to victim organizations increasingly refusing to pay ransomware attackers," the report indicated. The reduction in payments also may be due, in part, to more stringent security underwriting stipulations made by cyberinsurance firms, the report suggested.

Chainalysis tracked "10,000 unique strains" of ransomware in "the first half of 2022." However, it surmised that "the actual number of individuals who make up the ransomware ecosystem is likely quite small."

Another take on ransomware can be found in "The State of Ransomware 2022" report published by cybersecurity company BlackFog. Its report showed a decline in ransomware attacks happening in December 2022, after peaking in October. The report estimated that the average U.S. ransomware payout was "$258,143k." Top ransomware variants for the year included LockBit, BlackCat and Hive. The top targets of ransomware attackers were located in the United States, representing 46 percent of attacks.