FBI seizes website used by notorious ransomware gang

This screengrab captured by CNN shows a website hosted by Hive Ransomware seized by the FBI. The website, in Russian, says,

CNN  — 

The FBI has seized the computer infrastructure used by a notorious ransomware gang which has extorted more than $100 million from hospitals, schools and other victims around the world, US officials announced Thursday.

FBI officials since July have had extraordinary access to the so-called Hive ransomware group’s computer networks, FBI Director Christopher Wray said at a news conference, allowing the bureau to pass computer “keys” to victims so that they could decrypt their systems and thwart $130 million in ransom payments.

As of November, Hive ransomware had been used to extort about $100 million from over 1,300 companies worldwide – many of them in health care, according to US officials.

The dark-web website on which Hive listed its victims displayed a message in Russian and English Thursday that it had been taken over “as part of a coordinated law enforcement action” against the group by the FBI, Secret Service and numerous European government agencies.

“Simply put, using lawful means, we hacked the hackers,” Deputy Attorney General Lisa Monaco told reporters.

The Hive ransomware has been particularly rampant in the health care sector. One ransomware attack using Hive malicious software, in August 2021, forced a hospital in the US Midwest to turn away patients as Covid-19 surged, Attorney General Merrick Garland said.

Other reported US victim organizations of Hive include a 314-bed hospital in Louisiana. The hospital said it thwarted a ransomware attack in October, but that the hackers still stole personal data on nearly 270,000 patients.

“Hive compromised the safety and health of patients in hospitals – who are among our most vulnerable population,” said Errol Weiss, chief security officer for the Health Information Sharing and Analysis Center, a cyber threat sharing group for big health care providers worldwide. “When hospitals are attacked and medical systems go down, people can die.”

Thursday’s announcement is the latest in a series of Justice Department efforts to crack down on overseas ransomware groups that lock up US companies’ computers, disrupt their operations and demand millions of dollars to unlock the systems. Justice officials have seized millions of dollars in ransomware payments and urged companies not to pay off the criminals.

The ransomware epidemic grew more urgent for US officials after Colonial Pipeline, the major pipeline operator for sending fuel to the East Coast, shut down for days in May 2021 due to a ransomware attack from a suspected Russian cybercriminal. The disruption led to long lines at gas stations in multiple states as people hoarded fuel.

While the ransomware economy remains lucrative, there are signs that the US and international law enforcement stings are making a dent in the hackers’ earnings. Ransomware revenue fell to about $457 million in 2022, down from $766 million in 2021, according to data from cryptocurrency-tracking firm Chainalysis.

Cybersecurity professionals welcomed the Hive takedown, but some worried that another group would soon fill the void left by Hive.

“The disruption of the Hive service won’t cause a serious drop in overall ransomware activity but it is a blow to a dangerous group that has endangered lives by attacking the healthcare system,” John Hultquist, a vice president at Google-owned cybersecurity firm Mandiant, told CNN.

“Unfortunately, the criminal marketplace at the heart of the ransomware problem ensures a Hive competitor will be standing by to offer a similar service in their absence, but they may think twice before allowing their ransomware to be used to target hospitals,” Hultquist said.

Wray said the FBI would continue to track the people behind Hive ransomware and try to arrest them. It was not immediately clear where those people were located. The Department of Health and Human Services has descried Hive as a “possibly Russian speaking” group.

This story has been updated with additional details.