Ransomware attacks, in which hackers encrypt computer systems to extort victims from paying or risk losing access to their data, have damaged targets ranging from individuals to powerful organizations. I was. Victims include large corporations such as meat producer JBS, major infrastructure such as Colonial Pipeline, and entire countries such as Costa Rica. Last week, the Justice Department released some rare good news about the criminal industry. The FBI has compromised a major ransomware group called Hive and obtained its decryption key. These keys allow ransomware victims to recover their data without paying the requested fees. The FBI’s actions allowed affected parties to avoid his $130 million payment. US law enforcement agencies then worked with international partners to seize Hive’s servers and shut down her website.
Hive has been a major player in the ransomware space since June 2021, attacking over 1,500 victims in over 80 countries and extorting over $100 million, according to official DOJ statements. “In terms of the number of organizations affected and the amount of money being paid out, I would say it is comparable to the largest ransomware group that we have data on. Tufts University. Scientific American spoke with Wolff about how the FBI took down Hive and how this law enforcement effort is impacting other ransomware criminals.
[An edited transcript of the interview follows.]
What action did the FBI take against Hive?
There are two parts to this, both of which are very interesting. The first thing law enforcement did was actually hack into internal communications for months. [last] Summer, based on what the Justice Department said.and because [law enforcement was] The Department of Justice says it can infect computers inside, see who was infected and, more importantly, what the decryption key was to undo the ransomware. [it was] Able to help many targeted victims, it actually deciphers their systems by essentially stealing their decryption keys from Hive servers without Hive knowing what is going on. I was able to unlock it. That meant, for months, they infiltrated law enforcement servers, obtained decryption keys, and provided them to victims so they could recover their computers.
The second part of that, which just happened, is the takedown. The Department of Justice actually broke in and seized the server, [Hive’s] website. For that part, I think it’s hard to know what the long-term impact will be, as the servers and his website are interchangeable. So while this is a nice mess, it’s not necessarily the same as saying, “These people will never be able to distribute ransomware again.” And my guess is that the reason the deletion took place is due to the presence of law enforcement. [Hive’s] System detected. Otherwise, I think they will try to maintain their existence as long as reasonably possible.
Could the FBI continue to put together such operations for months, including embedding agents in organized crime systems?
I honestly hope so. I find it difficult to do this in many cases. This is because many cybercrime organizations are quite cautious about who has access to their servers for obvious reasons.My guess is that this is a bit of an anomaly and I’ve found one that isn’t well protected. [that is] linked to the fact that [Hive is] “Ransomware as a Service” Organizations: They are very widely used by various entities in this space as they rent out their malware to many other malicious actors. We do a lot of business with people who are customers who are buying their services, rather than known members of the . It may have been. Certainly, I think this is what law enforcement is trying to do. I wish you success.
Will Hive’s Downfall Deter Other Ransomware Groups?
I think it depends a little on some of the next steps — no one has been arrested yet. I’m sure some larger organizations are wiping their systems and looking for signs of a similar presence to watch out for. I think there is less attention and fear about ransomware for cybercriminals operating abroad, so I don’t know if anyone will tone down their ransomware operations. It certainly makes people nervous about the possibility of their systems being compromised.
What else are these groups doing these days? What is the current state of the ransomware world?
We continue to see fairly significant and highly impactful ransomware attacks against healthcare organizations, local governments, national government levels, and private sector organizations. In general, my sense from insurance companies is that ransomware incidence rates have slowed down a bit from the last six months to he year. That is the moment that caused the most damage and caused the greatest number of claims. But that certainly doesn’t mean it’s gone.
Why is that slowdown happening?
There are different ideas about it. I think a lot of insurers would say they’ve gotten better at asking policyholders to take certain steps to protect themselves. The easiest of these is to create a backup and allow everyone to reboot their system if everything is encrypted. And that, at the very least, they believe has helped reduce the number of claims and losses from ransomware attacks. The war in Ukraine has also thrown the ransomware industry into turmoil. There are a series of ransomware groups and cybercriminals whose operations in Ukraine (often Russian-based leaders) have started leaking information to each other and undermining each other’s efforts from the inside.
Another part is the very aggressive crackdown not only in the US but also in Europe. They’re trying to catch people, take down them, and turn ransomware into a low-profit crime. Part of it also focuses on regulation of the cryptocurrency industry. We are trying to authorize a particular cryptocurrency exchange that criminals are using to process these payments. Cryptocurrency intermediaries facilitate large-scale and cross-border currency payments. This is essential for this to be a profitable business. Another area the US government is definitely pursuing is that of international partnerships. Most of these criminals are not based in the United States or any other country where most of their victims are. [Taking them down] In practice, it requires very active cooperation with foreign law enforcement agencies.
Are cybercriminals changing their tactics to counter a stronger response from law enforcement?
One of the areas we haven’t touched on much is the question of what happens when a ransomware operator not only encrypts a victim’s system, but also steals a copy of all the data and threatens: I’m going to leak all your data online. And that’s something that’s become more frequent over the past few years. What’s particularly troubling, given the solutions we’ve seen so far, is the desire to “provide the decryption key and not pay the ransom”. in some cases. It’s not a very effective mitigation if the stolen copy is held over the victim’s head.
Did you learn anything else from removing Hive?
In a Department of Justice statement, they said that being inside a Hive server would allow them to see who was being targeted. However, they only received reports from about 20% of victims. This gives him one data point for the percentage of ransomware attacks that are actually reported directly to the FBI and the percentage that are actually reported to the FBI. [for which] The FBI reached out proactively and said, “It looks like this ransomware group may have affected you. We hope we can help.” [Twenty percent is] Pretty low numbers in terms of trying to understand the scale of this problem beyond what people voluntarily report.
