A change of course shows the relevance of a growing risk inherent to the entire planet: for the first time coordinated security agencies infiltrate and hack hackers.
Although faces and names are unknown so far, indications suggest Russian citizens.
Hive was described in August 2021 as a potentially devastating type of ransomware, linked to a cyberattack against a health system in the midst of a crisis due to Covid-19.
It uses a multi-pronged approach, not only encrypting sensitive data, but also affecting backups to make it difficult for organizations to recover.
In September of that year, a new type of attack emerged that served as a reminder that the world of cybercrime is constantly evolving, even during a once-in-a-century health crisis.
At the time, the FBI raised an alert about the ransomware after it was linked to a cyberattack at the Marietta, Ohio-based Memorial Health System that shut down the health agency's computer systems, leading to the cancellation of surgeries and exams. of radiology.
This gang is particularly damaging because it employs a multi-pronged approach.
In most ransomware cases, the first step is to lock the data files, but with Hive, that's the last thing.
Instead, the group behind the attacks remains anonymous, spends time understanding the IT environment, examining backup copies and security measures in place, and ultimately defeating defense mechanisms so the victim cannot recuperate.
For the first time, at least in an open and declared way, the US Department of Justice hacked the Hive gang.
The FBI infiltrated and covertly operated its network of servers and infrastructure, responsible for more than 1,500 victims in some 80 countries around the world, including hospitals, financial institutions, businesses, banks, utilities and critical infrastructure.
Starting in July 2022, the FBI penetrated Hive's computer networks, captured their decryption keys, and offered them to victims around the world, avoiding them from having to pay the $130 million ransom.
Some 1,300 organizations have been assisted to recover their hijacked data and systems.
The FBI acted together with the German Federal Criminal Police and the Netherlands National High-Tech Crime Unit, seizing control of the servers and websites they used to operate.
Hive's "ransomware-as-a-service (RaaS)" model is to make and sell ransomware, then recruit "affiliates" to implement it, with administrators pocketing 20% of the profits and posting the stolen data on a site “HiveLeaks” if someone refuses to pay.
Affiliates use methods like phishing, exploit FortiToken authentication vulnerabilities, and gain access to company VPNs and remote desktops, which are only protected with single-factor logins.
Strangely, 20% of the detected victims contacted the FBI for help.
Many of them refrain from contacting the agency for fear of repercussions from hackers and scrutiny in their industries for failing to protect themselves.
Curiously, there were no announcements of arrests at the moment.
In this regard, the process of determining the real identity of the perpetrators remains complex, fearing that, as has happened in the past, the cybercriminals will regroup in a new gang and return to their old ways.
Gabriel Zurdo is CEO of BTR Consulting, a specialist in technological risk and business.