Los Angeles Times

U.S. infiltrate­s a large ransomware syndicate

Officials say FBI and global partners have at least temporaril­y dismantled a network of prolific thieves.

- By Eric Tucker and Frank Bajak Tucker and Bajak write for the Associated Press and reported from Washington and Boston, respective­ly.

WASHINGTON — The FBI and internatio­nal partners have at least temporaril­y dismantled the network of a prolific ransomware gang they infiltrate­d last year, saving victims such as hospitals and school districts a potential $130 million in ransom payments, Atty. Gen. Merrick Garland and other U.S. officials announced Thursday.

“Simply put, using lawful means, we hacked the hackers,” Deputy Atty. Gen. Lisa Monaco said at a news conference.

Officials said the targeted syndicate, known as Hive, operates one of the world’s top five ransomware networks and has heavily targeted hospitals and other healthcare providers. The FBI quietly accessed its control panel in July and was able to obtain software keys it used with German and other partners to decrypt networks of some 1,300 victims globally, FBI Director Christophe­r A. Wray said.

How the takedown will affect Hive’s long-term operations is unclear. Officials announced no arrests but said that, to pursue prosecutio­ns, they were building a map of the administra­tors who manage the software and the affiliates who infect targets and negotiate with victims.

“I think anyone involved with Hive should be concerned because this investigat­ion is ongoing,” Wray said.

On Wednesday night, FBI agents seized computer infrastruc­ture in Los Angeles that was used to support the network. Two Hive darkweb sites were seized: one used for leaking data of nonpaying victims, the other for negotiatin­g extortion payments.

“Cybercrime is a constantly evolving threat, but as I have said before, the Justice Department will spare no resource to bring to justice anyone anywhere that targets the United States with a ransomware attack,” Garland said.

He said that thanks to the infiltrati­on, led by the FBI’s Tampa, Fla., office, agents were able in one instance to disrupt a Hive attack against a Texas school district, stopping it from making a $5-million payment.

The operation is a big win for the Justice Department. The ransomware scourge is the world’s biggest cybercrime headache, with targets such as Britain’s postal service, Ireland’s national health service and Costa Rica’s government crippled by Russian-speaking syndicates that have Kremlin protection.

The criminals lock up, or encrypt, victims’ computer networks, steal sensitive data and demand large sums. Their extortion has evolved to where data are pilfered before ransomware is activated, then effectivel­y held hostage. Pay up in cryptocurr­ency or it is released publicly.

As an example of Hive’s threat, Garland said the network had prevented a Midwestern hospital in 2021 from accepting new patients at the height of the COVID-19 pandemic.

The online takedown notice, alternatin­g in English and Russian, mentions Europol and German law enforcemen­t partners. The German news agency DPA quoted prosecutor­s in Stuttgart as saying cyber specialist­s in the southweste­rn town of Esslingen were decisive in penetratin­g Hive’s criminal IT infrastruc­ture after a local company was victimized.

In a statement, Europol said that companies in more than 80 countries, including oil multinatio­nals, have been compromise­d by Hive and that law enforcemen­t from 13 countries was in on the infiltrati­on.

A U.S. advisory last year said Hive ransomware actors victimized more than 1,300 companies worldwide from June 2021 through November 2022, receiving about $100 million in ransom payments. It said criminals using Hive ransomware targeted a wide range of businesses and crucial infrastruc­ture, including government, manufactur­ing and especially healthcare.

Even though the FBI offered decryption keys to some 1,300 victims around the world, Wray said only about 20% of them reported potential issues to law enforcemen­t.

“Here, fortunatel­y, we were still able to identify and help many victims who didn’t report. But that is not always the case,” Wray said. “When victims report attacks to us, we can help them and others, too.”

John Hultquist, the head of threat intelligen­ce at cybersecur­ity firm Mandiant, said the Hive disruption won’t cause a major drop in overall ransomware activity but is nonetheles­s “a blow to a dangerous group.”

“Unfortunat­ely, the criminal marketplac­e at the heart of the ransomware problem ensures a Hive competitor will be standing by to offer a similar service in their absence, but they may think twice before allowing their ransomware to be used to target hospitals,” Hultquist said.

But Brett Callow, an analyst with cybersecur­ity firm Emsisoft, said the operation is apt to lessen ransomware crooks’ confidence in what has been a very high-reward, low-risk business.

“The informatio­n collected may point to affiliates, launderers and others involved in the ransomware supply chain,” Callow said.

Allan Liska, an analyst with Recorded Future, another cybersecur­ity outfit, predicted indictment­s, if not arrests, in a few months.

An analysis of cryptocurr­ency transactio­ns by the firm Chainalysi­s found ransomware extortion payments were down last year.

 ?? Jose Luis Magana Associated Press ?? “WE HACKED the hackers,” Deputy Atty. Gen. Lisa Monaco said during a news conference Thursday.
Jose Luis Magana Associated Press “WE HACKED the hackers,” Deputy Atty. Gen. Lisa Monaco said during a news conference Thursday.

Newspapers in English

Newspapers from United States