Will Hive Stay Kaput After FBI Busts Infrastructure?Ransomware Group's Servers Remain Dark, But Rebooting Would Pose Scant Challenge
What's not to love about an international law enforcement operation wreaking disruption on Hive, the ransomware-wielding crime syndicate? But with no suspects in jail, it's unclear how long this takedown will stick before the bad guys get back their sting.
There's still plenty to celebrate since Hive, one of the world's most active ransomware groups, went dark last week after the FBI and German and Dutch law enforcement agencies seized its servers. Anyone attempting to visit Hive's dark web sites didn't see ransomware content, but rather a seizure notice (see: FBI Seizes Hive Ransomware Servers in Multinational Takedown).
"We hacked the hackers," U.S. Deputy Attorney General Lisa O. Monaco told reporters on Thursday. In July, law enforcement infiltrated parts of Hive's infrastructure and quietly passed decryption keys to over 330 victims. Monaco says those efforts prevented "more than $130 million dollars in ransomware payments" flowing to the criminals. About two weeks prior to the takedown announcement, "we stopped detecting new samples of Hive in the wild," reports Roman Rezvukhin, head of malware analysis and threat hunting at threat intelligence firm Group-IB.
Unfortunately, hackers have a habit of coming back, as has been previously seen with the likes of REvil - aka Sodinokibi - and DarkSide, not to mention Conti's many spinoffs. Likewise, the affiliates who used Hive's crypto-locking malware to amass victims in exchange for a cut of every ransom paid have plenty of other potential business partners.
"Hive will bounce back, and there is already talk amongst ransomware criminals on the dark web about when and how Hive will resurface," says ransomware tracking expert Jon DiMaggio, chief security strategist at Analyst1. "Most speculate they will rebrand, which I think is likely, but they could simply set up new infrastructure and do a reset with the same brand and try and play off their former reputation."
Hive last year dominated the ransomware scene. In the first 10 months of 2022, Sophos' incident response team reports "prolific" Hive was the fourth-most-common strain of ransomware it saw hitting victims. "We even saw them breaking into networks that other ransomware groups had already compromised," says Chester Wisniewski, field CTO for applied research at Sophos.
The FBI says Hive earned at least $100 million in profits at the expense of over 1,500 victims since it launched in June 2021.
Who's Running Scared?
In the wake of Hive's disruption, ransomware groups aren't running scared, at least in public. The marketing juices are again flowing at LockBit, and the group's public-facing spinmeister "LockBitSupp" quipped: "I love when FBI pwn my competitors."
Ransomware group comment to the HIVE take down:
ALPHV: This would not work on us, we have too strong security and we do not store anything on our servers
BianLian: Too bad. I think they will be restored under a new name
Lockbit: Nice news. I love when FBI pwn my competitors— vx-underground (@vxunderground) January 27, 2023
"These criminals are like cockroaches and are seemingly impossible to stamp out," says Wisniewski. "These actions may slow them down and make them scurry under the cupboards, but they'll regroup and be back under a different guise before too long."
DiMaggio advocates psychological operations, if they're not already being used by the cops. "The issue is: Many criminals wonder if Hive was compromised - from a human aspect - and they are afraid law enforcement or the government has infiltrated some of the members themselves," he says. "It is a great time to play on these fears and create a further divide in the criminal community."
"The paranoia is certainly running rampant right now, which is a win," he adds.
DiMaggio says one concern voiced on cybercrime forums is that Hive's disruption might cause overall ransomware profits to take a hit.
More pressure comes in the form of the U.S. government's Rewards for Justice program, which has up to $10 million available to anyone who helps identify key ransomware players, including members of Hive.
Alas, few practitioners seem scared of ending up in the slammer, a reminder that many ransomware groups operate in or around Russia, which never extradites citizens to face alleged crimes abroad.
In case that message isn't clear, after the DOJ held a press conference about Hive's disruption, Moscow blocked Russians' access to the websites of the CIA, FBI and Rewards for Justice program.
Ransomware practitioners may not be able to safely travel the world without the FBI having a say on their final destination. But they appear to still have a safe haven in Russia.