The FBI has seized the computer infrastructure used by the Hive ransomware group, which has extorted more than $100 million from hospitals, schools, and other victims around the world. The FBI has had extraordinary access to the group’s computer networks since July, allowing the bureau to pass computer “keys” to victims so that they could decrypt their systems and thwart $130 million in ransom payments.
As of November, Hive ransomware had been used to extort about $100 million from over 1,300 companies worldwide, many of them in healthcare. The Hive Ransomware has been particularly rampant in the healthcare sector, one ransomware attack using Hive malicious software in August 2021 forced a hospital in the US Midwest to turn away patients as Covid-19 surged. Other reported US victims of Hive include a 314-bed hospital in Louisiana.
We heard from experts from VMware, Immersive Labs, and Xage Security on what this action from the FBI means for the industry and the future of Hive and the threat of ransomware.
Eric O’Neill, National Security Strategist, VMware
“The disruption of the notorious Hive ransomware group demonstrates that the FBI has increased its ability to investigate and track threat actors across the Dark Web. This supports the commendable work the FBI’s IC3 is doing to track cybercrime attacks and coordinate efforts to repatriate stolen funds from cybercriminals, further reinforcing the importance of notifying the IC3 when a ransomware attack occurs.
It’s also worth noting how large the Dark Web has grown and how well-resourced new cyber crime syndicates, such as Hive, have become. The Dark Web is currently the third largest economy on Earth measured by GDP, which is larger than Japan or Germany. By 2025, this will grow larger than both countries combined. The FBI’s work to shut down Hive servers and repatriate encryption keys is a great step in the right direction, but it is only a step along a distant marathon to stop Dark Web-resourced cyber crime.”
Eric O’Neill is also the author of Gray Day: My Undercover Mission to Expose America's First Cyber Spy. He helped expose Robert Hanssen, one of America's most notorious double agents during his time as an FBI counterterrorism and counterintelligence operative.
Kev Breen, Director of Cyber Threat Research, Immersive Labs
"Disrupting Hive is no doubt a victory, but the war is far from over. While this action will have a short-term effect on the proliferation of ransomware, Hive operates under a Ransomware-as-a-Service (RaaS) model, meaning they use affiliates that are responsible for gaining the initial foothold and then dropping the ransomware payload. With the proverbial head of this snake cut off, those affiliates will turn to other ransomware operators and pick up where they left off.
Hive affiliates have been known to exploit weak or stolen credentials to gain access to RDP and VPN services, as well as sending phishing emails with malicious links and attachments - attacks that depend on exploiting people. To combat these threats and build long-term cyber resilience, leaders must ensure their workforces have the cyber capabilities and judgment to respond effectively to attacks. Although they may not be derived from Hive next time, they will be coming from other malicious actors and cyber resilience is key."
Duncan Greatwood, CEO of Xage Security
“2023 has started off with a bang with critical infrastructure attacks – both physical and cyber – at an all time high. Why? Critical infrastructure attacks result in widespread impacts, draw international attention and increase the success of a ransomware payout. Every second of downtime at energy, utilities, hospitals and other critical infrastructure around the world can leave communities stranded and even cost lives, forcing parties to respond quickly.
Today’s announcement is a win for the DOJ and I applaud their efforts but we also need to be realistic. Adversaries are smart and this win is bound to be short-lived. If we don’t shift our mindset and find ways to not only stop them but also prevent them from getting in the first place, we’ll continue to see these attacks succeed. Adversaries are always one step ahead and bound to already be searching for new ways to break through and impact our day-to-day lives in order to achieve their goals. It’s paramount that critical infrastructure operators embrace the latest technology and security measures to go beyond just detecting and reacting to these attacks and instead prevent them by blocking them at the source.” ###