Euro Security Watch with Mathew J. Schwartz

Will Hive Stay Kaput After FBI Busts Infrastructure?

Ransomware Group's Servers Remain Dark, But Rebooting Would Pose Scant Challenge
Will Hive Stay Kaput After FBI Busts Infrastructure?
Image: PollyDot/Pixabay

What's not to love about an international law enforcement operation wreaking disruption on Hive, the ransomware-wielding crime syndicate? But with no suspects in jail, it's unclear how long this takedown will stick before the bad guys get back their sting.

See Also: IDC Whitepaper I Business Value of Dell VxRail HCI

There's still plenty to celebrate since Hive, one of the world's most active ransomware groups, went dark last week after the FBI and German and Dutch law enforcement agencies seized its servers. Anyone attempting to visit Hive's dark web sites didn't see ransomware content, but rather a seizure notice (see: FBI Seizes Hive Ransomware Servers in Multinational Takedown).

"We hacked the hackers," U.S. Deputy Attorney General Lisa O. Monaco told reporters on Thursday. In July, law enforcement infiltrated parts of Hive's infrastructure and quietly passed decryption keys to over 330 victims. Monaco says those efforts prevented "more than $130 million dollars in ransomware payments" flowing to the criminals. About two weeks prior to the takedown announcement, "we stopped detecting new samples of Hive in the wild," reports Roman Rezvukhin, head of malware analysis and threat hunting at threat intelligence firm Group-IB.

Unfortunately, hackers have a habit of coming back, as has been previously seen with the likes of REvil - aka Sodinokibi - and DarkSide, not to mention Conti's many spinoffs. Likewise, the affiliates who used Hive's crypto-locking malware to amass victims in exchange for a cut of every ransom paid have plenty of other potential business partners.

"Hive will bounce back, and there is already talk amongst ransomware criminals on the dark web about when and how Hive will resurface," says ransomware tracking expert Jon DiMaggio, chief security strategist at Analyst1. "Most speculate they will rebrand, which I think is likely, but they could simply set up new infrastructure and do a reset with the same brand and try and play off their former reputation."

Hive last year dominated the ransomware scene. In the first 10 months of 2022, Sophos' incident response team reports "prolific" Hive was the fourth-most-common strain of ransomware it saw hitting victims. "We even saw them breaking into networks that other ransomware groups had already compromised," says Chester Wisniewski, field CTO for applied research at Sophos.

The FBI says Hive earned at least $100 million in profits at the expense of over 1,500 victims since it launched in June 2021.

Who's Running Scared?

In the wake of Hive's disruption, ransomware groups aren't running scared, at least in public. The marketing juices are again flowing at LockBit, and the group's public-facing spinmeister "LockBitSupp" quipped: "I love when FBI pwn my competitors."

"These criminals are like cockroaches and are seemingly impossible to stamp out," says Wisniewski. "These actions may slow them down and make them scurry under the cupboards, but they'll regroup and be back under a different guise before too long."

DiMaggio advocates psychological operations, if they're not already being used by the cops. "The issue is: Many criminals wonder if Hive was compromised - from a human aspect - and they are afraid law enforcement or the government has infiltrated some of the members themselves," he says. "It is a great time to play on these fears and create a further divide in the criminal community."

"The paranoia is certainly running rampant right now, which is a win," he adds.

DiMaggio says one concern voiced on cybercrime forums is that Hive's disruption might cause overall ransomware profits to take a hit.

More pressure comes in the form of the U.S. government's Rewards for Justice program, which has up to $10 million available to anyone who helps identify key ransomware players, including members of Hive.

Alas, few practitioners seem scared of ending up in the slammer, a reminder that many ransomware groups operate in or around Russia, which never extradites citizens to face alleged crimes abroad.

In case that message isn't clear, after the DOJ held a press conference about Hive's disruption, Moscow blocked Russians' access to the websites of the CIA, FBI and Rewards for Justice program.

Ransomware practitioners may not be able to safely travel the world without the FBI having a say on their final destination. But they appear to still have a safe haven in Russia.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.