In a major counter-offensive, authorities from various countries collaborated to “hack the hackers” and disrupted the group’s ransomware operations

In a month-long blitz, authorities in the United States on 26 Jan seized the servers used by the Hive ransomware group that has been considered among the most dangerous and prolific hacker gangs targeting hospitals and public infrastructure.

Agents from the Federal Bureau of Investigation (FBI) had accessed the Hive’s network and blocked about US$130m in demanded ransoms, and even retrieved some of the keys needed to decrypt victims’ ransomed data.

Also involved in the FBI operation were law enforcement officials from Germany, members of the Netherlands National High Tech Crime Unit, and investigators from the National Crime Agency in the UK. However, the ransomware group’s members, who are known to communicate in Russian and who have ties with the Kremlin, are not currently under arrest, and Russia does not extradite citizens implicated in crimes on foreign soil.

One goes down, another actor surfaces
While this takedown is good news for the world at large, history shows that seemingly dead ransomware collectives tend to regroup and rise from the ashes under different brands, according to Roman Rezvukhin, head of malware analysis and threat hunting (APAC), Group-IB. He said: “A few notable examples are REvil, DarkSide, and Conti. It is always interesting to observe other market players’ reactions to such significant developments. For instance, another ransomware ‘Big 3’ member, LockBit, gloated over the rival gangs’ misfortune on Dark Net forums: ‘Nice news. I love when FBI pwn my competitors.’”

Another ransomware collective, BianLian, had ‘sympathized’ with the Hive takedown: “Too bad. I think they will be restored under a new name”. Rezvukhin continued: “While the shutdown of Hive infrastructure is a big step, the ultimate goal should be to arrest the owners and affiliates, which is the most effective means of fighting the phenomenon of Ransomware-as-a-Service and cybercrime as a whole. If the affiliates and malware developers remain at large, it is not an impossible task to set up new infrastructure, especially given Hive’s ability to edit and refresh its ransomware.”