The Justice Department on Thursday announced it had disrupted a notorious cybercriminal group behind ransomware attacks on more than 1,500 victims worldwide and millions of dollars in extorted payment.
The announcement came amid an ongoing larger effort by the Biden administration to clamp down on ransomware attacks, which have surged in recent years and have held hostage the data of critical organizations like hospitals, governments and schools.
Justice Department personnel used a court order on Wednesday night to seize two back-end servers belonging to the Hive ransomware group in Los Angeles and took control of the group’s darknet website, Attorney General Merrick Garland said Thursday.
Garland, at a press conference in Washington, said Hive was behind attacks in the past two years on a Midwest hospital, which was forced to stop accepting new patients and to pay a ransom to decrypt health data. While Garland did not name the hospital, the Memorial Health System in West Virginia and Ohio was attacked by Hive affiliates at the same time. Hive was also linked to an attack last year on Costa Rica’s public health service.
Hive is known to go after health care organizations, and the Justice Department, the Cybersecurity and Infrastructure Security Agency and the Department of Health and Human Services put out a joint alert last year warning of additional Hive attacks on health care and public health groups.
Garland said the Justice Department had assisted around 300 victims around the world since July, and stopped the payment of around $130 million to Hive.
“Cybercrime is a constantly evolving threat, but as I have said before, the Justice Department will spare no resources to identify and bring to justice anyone, anywhere who targets the United States with a ransomware attack,” Garland said.
FBI Director Christopher Wray said the “disruption campaign” against Hive had taken place over the past year and a half, and involved FBI personnel gaining access to Hive’s control panels in order to give victims keys to unlock their encrypted systems. Wray pressed victims of cyberattacks to come forward and inform law enforcement, noting that only around 20 percent of Hive’s victims had done so.
“A reminder to cybercriminals: No matter where you are, and no matter how much you try to twist and turn to cover your tracks — your infrastructure, your criminal associates, your money and your liberty are all at risk, and there will be consequences,” Wray told reporters.
Hackers linked to some ransomware attacks have often been based out of Russia, including the hackers behind the 2021 attack on Colonial Pipeline, which temporarily crippled the supply of gas to the East Coast. While the Biden administration opened discussions with Moscow in 2021 about cracking down on cybercriminals based in Russia, these talks collapsed following the Russian invasion of Ukraine last year.
When asked whether Hive cybercriminals were based in Russia, Garland declined to answer, noting “we are in the middle of an ongoing investigation.”
While the dismantling of Hive’s operations is a win for the Justice Department — which launched a ransomware task force in 2021 to better prioritize investigating and bringing to justice ransomware cybercriminals — at least one expert is skeptical of its long-term impact.
"The disruption of the Hive service won’t cause a serious drop in overall ransomware activity, but it is a blow to a dangerous group that has endangered lives by attacking the health care system,” John Hultquist, the head of Mandiant Threat Intelligence at Google Cloud, said Thursday. He noted that a new competitor will likely be “standing by” to take Hive’s place.
“Actions like this add friction to ransomware operations. Hive may have to regroup, retool, and even rebrand,” Hultquist said. “When arrests aren’t possible, we’ll have to focus on tactical solutions and better defense. Until we can address the Russian safehaven and the resilient cybercrime marketplace, this will have to be our focus."