The FBI spent months entrenched in the systems of a top-five ransomware syndicate. We asked people familiar with such operations how the Bureau managed to pull it off.
International ransomware syndicate Hive met its end after the FBI seized IT infrastructure cybercriminals used to extort their victims.
According to the US Department of Justice (DoJ), the feds infiltrated the gang in July 2022, allowing them to give victims thousands of decryptor keys and prevent them from having to pay $130 million in ransom demands.
The revelation means that for the past six months, authorities knew about most of Hive’s victims, and the syndicate likely saw a sharp drop in ransom revenue from its affiliates. However, cybercriminals still weren’t alerted.
How was Hive infiltrated?
While it’s impossible to know how exactly the operation was conducted, Darren Mott, a retired FBI Special Agent who worked on cybercrime, thinks that the Bureau either had an undercover agent or, more likely, recruited somebody from the inside. One telltale sign of an insider is the exposed decryptor.
“These assets could track the workings of the group and obtain the information they did. As to the decryptor, this is more evidence that they had human assets within the group, as they would have access to this type of intelligence,” Mott told Cybernews.
The operation could have also merged the two approaches. For example, authorities could have recruited an insider to invite “a credible friend” to join the crew, Dr. Chris Pierson, a former advisor to the FBI and CEO of cybersecurity firm BlackCloak, thinks.
Hive’s seizure could have taken a different approach, with FBI hackers penetrating the gang’s systems without inside help. Once inside, the feds continued carefully monitoring every twist and turn inside the criminal group.
“They will actually hack into the environment, sit, watch, and develop information and knowledge on the operation just like the cybercriminals do when they attack a company,” Dr. Pierson explained.
“They will actually hack into the environment, sit, watch, and develop information and knowledge on the operation just like the cybercriminals do when they attack a company.”Dr. Pierson said.
Why wasn’t Hive alerted?
The US Department of Justice (DoJ) says, “the FBI has provided over 300 decryption keys to Hive victims who were under attack.” This means several hundred unsuccessful attacks failed to alert cybercriminals that something was wrong.
One reason for Hive’s ignorance may be related to its ransomware-as-a-service (RaaS) operation model. Or, in other words, the syndicate had so many affiliates it wasn’t keeping tabs on the victims.
“Ransomware groups often ‘spray and pray,’ and they may not have known all the victims they had compromised as the FBI may have gotten in the victim notification process before HIVE even realized they had compromised a victim,” Mott said.
The FBI could have also discovered what points of entry Hive used, sharing the information with targeted victims and allowing them to up the defenses in the initial stages of the attack.
Cybercriminals might have been left in the dark about their successes and failures if victims who chose to cooperate with law enforcement hadn’t come out publicly to state they were attacked.
According to Dr. Pierson, there’s also a possibility that Hive simply messed up, ignoring metrics such as the ratio of deployments to paid victims.
“This could be due to issues with the callback software itself, not collecting the data, or not noticing a trend of decryption and lack of payment indicating a problem,” Dr. Pierson said.
Why did the FBI wait six months?
Another interesting aspect of Hive’s seizure is that the FBI stayed within the gang’s systems for half a year. This means that when CISA warned of threats Hive poses in late November, the feds have been inside for a good four months.
Randy Pargman, a former member of the FBI’s Cyber Task Force in Seattle and a VP of Threat Hunting & Counterintelligence at Binary Defense, thinks the longer authorities stay inside, the more chances they have to obliterate criminals’ systems.
“If they had immediately took down the server after it was found, the Hive ransomware group could have just rebuilt another server and continued their operations. Instead, law enforcement made the decision to monitor the server and quietly provide decryption keys to victims,” Pargman said.
The FBI didn’t say they managed to help all of Hive’s victims. The authorities might have chosen to help the most vulnerable organizations, such as healthcare institutions Hive’s affiliates so often targeted, avoiding letting the cat out of the bag.
“If they had immediately took down the server after it was found, the Hive ransomware group could have just rebuilt another server and continued their operations.”Pargman said.
“It’s possible that law enforcement did quietly inform all the victims they could reach, but some companies chose to pay the ransom anyway to keep their files from being published by the Hive ransomware operators,” Pargman explained Cybernews.
Whatever route the authorities chose, the ransomware gang that recorded around 9% of reported ransomware attacks in 2022, is no longer active. While threat actors might soon regroup, at least for now, a syndicate known to target healthcare institutions cannot continue.
“The Dutch NHTCU, Germany’s BKA, the FBI, and other cyber police around the world have been innovating new strategies that have proven in several cases to be effective in helping victims, even when some cyber criminals remain protected from prosecution by their home countries,” Pargman said.
More from Cybernews:
Subscribe to our newsletter