For the second day in a row, public schools on the tiny island of Nantucket remained closed Wednesday as administrators scrambled to cope with a ransomware attack on its computer systems.
According to published reports, Nantucket’s five public schools shut its doors to students and teachers after a data encryption and extortion attack prompted staff to shut down the internet along with all student and staff devices — including phones and security cameras.
“Out of an abundance of caution, we will be canceling school tomorrow, Wednesday, Feb. 1, for all staff and students,” school superintendent Beth Hallett wrote in a message to the school community.
The schools were first closed on Tuesday morning and all 1,700 students and staff were sent home “for the safety and security of all.”
Hallett said the school district has hired outside data security experts to work alongside its IT department to recover data and restore computer and internet service.
There is no information on whether a ransom payment was paid or the extent of damage from data encryption or data theft.
Education institutions have become a popular target for ransomware attacks with multiple schools reporting malware infections that lead to data being encrypted and costly ransom demands.
As we reflect on 2022, we’ve seen that malicious actors are constantly coming up with new ways to weaponize technologies at scale to cause more disruption and devastation.
The dangers are showing up everywhere – and more frequently. The volume and variety of threats, including Ransomware-as-a-Service (RaaS) and novel attacks on previously less conventional targets, are of particular concern to CIOs and CISOs.
Increasingly, cybercrime is big business run by highly organized groups rather than individuals. Much like the mythological hydra, cutting off the head of one of these organizations (i.e. just stopping a few low level operators in their tracks) isn’t going to solve the problem; the key is to disrupt the networks themselves. That’s a tall order – one that’s going to require widespread collaboration.
Cybercrime networks and Cybercrime-as-a-Service
We anticipated that in 2022 there would be an increase in pre-attack reconnaissance and weaponization among attackers. This would open the door for the growth of Crime-as-a-Service (CaaS) to accelerate even faster.
That prediction of cybercrime proved to be accurate. The FortiGuard Labs team documented 10,666 new ransomware variations in the first half 2022 compared to just 5,400 in the second half of 2021. That’s an almost 100% increase in the number of new ransomware variants found. The rise in popularity of RaaS on the dark web is the main cause of this sudden increase of new ransomware strains.
RaaS is mostly to blame for the explosive growth in ransomware variants, and ransomware payments are also rising. U.S. financial institutions spent close to $1.2 billion on likely ransomware payments in 2021, according to the Financial Crimes Enforcement Network (FinCEN) of the U.S. Treasury. That was more than double the prior year, and if that trend continues, results from 2022 will be even higher.
Our current predictions indicate that the CaaS market will grow dramatically through 2023 and beyond, with threat actors soon being able to subscribe to new exploits, services and structured programs.
We’re also predicting that threat actors will soon have access to more readymade, “as a service” products. This means even more cybercriminals of all levels will be able to launch more complex attacks without first devoting time and money to creating their own strategy. Additionally, producing and offering “aaS” attack portfolios is a straightforward, efficient, and repeatable way for seasoned hackers to make money, meaning the business model pays. Prepare yourself for an enhanced CaaS catalog to appear in 2023 and beyond as a result.
Collaboration is key
It can’t be emphasized enough: the key to disrupting cybercrime networks is collaboration across the private and public sector. One illustration is what the World Economic Forum’s Partnership Against Cybercrime is doing (PAC). In response to the pandemic’s unparalleled and exponential development in cybercriminal activity, PAC has concentrated on fusing the digital know-how and data of the business sector with the threat information of the government sector to help disrupt cybercrime ecosystems.
It will be simpler to overcome the restrictions that protect hackers if a worldwide strategy and coordinated effort are used to remove communication barriers. It is everyone’s duty to disrupt bad actors and destroy the attack infrastructure, and this calls for solid, reliable partnerships with other organizations. Cybercriminals run their operations like businesses; therefore, the more we can make them rebuild, change their strategies, and start over, the better off digital assets will be.
Not only do we want to stop attacks from happening, but we also want to take down cybercriminals and make them modify how they operate, which costs them effort, time and resources. Sharing actionable threat intelligence among organizations and influencing how cyberthreat mitigation will be done in the future are crucial.
Private-public collaboration in practice
An example of how this kind of collaboration can be used to disrupt cybercrime networks is the recent African Cyber Surge Operation. The collaboration between INTERPOL, FortiGuard Labs and other INTERPOL private partners resulted in the successful Cyber Surge operation and the dissemination of intel to several law enforcement organizations in the Africa region.
Partners such as FortiGuard Labs offered actionable threat intelligence based on infrastructure research of malware, botnets and command and control (C2), including C2 and malware victims across Africa. The Africa Cyber Surge Operation, which began in July 2022, has brought together law enforcement (LE) officers from 27 nations. They collaborated for almost four months on actionable intelligence provided by INTERPOL private partners.
Through a coordinated effort between INTERPOL, AFRIPOL and the participating nations, this operation targeted both cybercriminals and compromised network infrastructure in Africa. Member nations were able to identify more than 1,000 malicious IP addresses, dark web marketplaces and specific attackers.
The Africa Cyber Surge Operation is a great example of how joint operations and sharing threat intelligence on threat actors among reliable partners can increase an entire region’s cyber resilience. It also demonstrates the need of cybersecurity education and training in bridging the cyberskills gap and effectively combating cybercrime on a large scale.
Collaboration is the key
No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base. Just as cybercrime networks are getting stronger and larger, so too must collaborative strategies between private companies and law enforcement agencies. Disrupting cybercrime networks is going to take collaboration on a large scale.
About SecurityWeek Cyber Insights |At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
Our intention here is to talk about cybercrime and cybercriminals. Despite some geopolitical overlaps with state attackers, the majority of cyberattacks still come from simple – or perhaps sophisticated – criminals who are more motivated by money than politics.
“With the Russia-Ukraine War, many actors polarized, including players like Conti, Killnet and Anonymous. However, the ecosystem is much larger, and even with setbacks in cryptocurrency brokerage, which advanced the liquidity and economics of criminals online, criminal organizations are thriving, diversifying, and going gangbusters as we enter 2023,” comments Sam Curry, CSO at Cybereason.
“There are no signs of this letting up and all signs indicate that criminal organizations’ real growth is e-crime going forward.”
Know your enemy
An increasing sophistication among the more elite criminals together with a more streamlined organization of the infrastructure from which they operate has been apparent for many years. This process continues and will continue throughout 2023. It is apparent in both how the gangs operate and the tools they use.
“Malware will continue to evolve in 2023 as attackers find new ways to hide it to maintain persistence and get what they came for,” says Mike Parkin, senior technical engineer at Vulcan Cyber – adding, “The attack vectors they use to get a foothold will also evolve, taking advantage of new vulnerabilities, and leveraging variations of old ones.”
But it is the increasing maturity of the criminal business that perhaps poses the greatest threat. “There is a significant maturing of the tools used by cybercriminal groups,” explains Andrew Barratt, VP at Coalfire. “They are becoming platforms (as a service) for other criminal groups with significantly less technical expertise to leverage.”
We’ve had ransomware-as-a-service and infostealers-as-a-service for a few years, but it is becoming more accurate to describe the process as a complete ‘crime-as-a-service’. “While we’ve seen the crime-as-a-service infrastructure become very prevalent, it’s probably likely we’ll see an uptick in volume and/or pricing of these attacks in the year ahead,” adds Barratt.
Crime-as-a-Service
“We’ve looked at numerous online forums and found such a rise and diversification in the many kinds of criminal ‘as a service’ offerings that people really can set up their own cybercrime business with little to no technical knowledge or skills,” explains Christopher Budd, senior manager of threat research at Sophos.
“Now you can find a vendor or supplier to cover your needs around targeting and initial compromise of victims, evasion and operational security, and malware delivery, among others.” These offerings often come with good marketing and customer service and support that meets – or even exceeds – those you get when paying for legitimate software.
Andrew Pendergast
Calling it malware-as-a-service (MaaS) rather than crime-as-a-service, Andrew Pendergast, EVP of product at ThreatConnect, adds, “MaaS operators act like a business, because they are a business – just an illegal one. Their goals are to make as much money as possible selling their product and services. This entails making it as accessible, trustable, reliable, and easy to use as possible for their ‘market’.”
He expects the CaaS providers to continue to improve their support and services to accommodate a broader set of customers and affiliates, adding, “The net results will be a broadening user base for various MaaS offerings which in 2023 likely means more ransomware attacks.”
In fact, the service is now so complete that Benjamin Fabre, CEO at DataDome, points out new cybercriminals no longer need the technical skills to develop and execute cyberattacks on their own. “Cybercrime will require as much brains as holding a baseball bat to a shop owner’s window,” he comments.
Chris Vaughan, a VP of technical account management at Tanium, agrees with this assessment. “Malicious cyber tools are becoming more available to be purchased online which is leading to a greater number of attacks that are also less predictable. This includes vulnerabilities and exploits as well as hackers for hire, dramatically lowering the barrier of entry for anyone interested in launching a cyberattack.”
This leads us to another related concern for 2023: the potential. expansion of a recession-promoted cybercrime gig economy. “People may turn to ‘cyber hustling’ in the cybercrime gig economy to make quick cash during the economic downturn,” warns Alex Holland, senior malware analyst at HP Inc.
He fears a potential increase in the number of cyber hustlers seeking to make additional – or, indeed, any – income by scamming consumers who will themselves be looking for opportunities to raise some extra cash. “Cybercrime tools and mentoring services are readily available at low costs, enticing cyber hustlers – opportunists with relatively low levels of technical skill – to access what they need to turn a profit.”
The interconnected nature of the cybercrime gig economy means threat actors can easily monetize attacks. “And if they strike gold and compromise a corporate device, they can also sell that access to bigger players, like ransomware gangs. This all feeds into the cybercrime engine, giving organized groups even more reach.”
Crime gang career roles
John Bambenek
Fundamental to the emergence of streamlined CaaS has been the evolution of career specializations within the gangs. “In many ways, the cybercrime ecosystem has developed specialized ‘career fields’ in a similar way that cybersecurity has developed specializations,” comments John Bambenek, principal threat hunter at Netenrich.
This means there are many more partnerships and boutique actors helping a variety of groups. “Getting initial access is a specialized skill set, just like money laundering (in cryptocurrency) and ransomware development are skill sets,” he added. “This specialization makes the ecosystem as a whole more resilient and more difficult to bring to justice.”
This process of business refinement will continue through 2023. “Criminal organizations will continue to grow in scope and capabilities, with increased focus on functional areas,” suggests Gray, AVP of security strategy at Deepwatch. “Specialization will allow these groups to maintain the razor margins needed to operate at levels that are capable of bypassing security program components at advanced targets and/or operate at scale against more susceptible targets.”
Three categories of CaaS to watch in 2023
Three categories of crime-as-a-service are likely to be prevalent in 2023: ransomware-as-a-service (RaaS), stealer-as-a-service (SaaS), and victims-as-a-service (VaaS).
RaaS
The ‘pay-per-use’ version of delivering ransomware is, says, Camellia Chan, CEO and founder of X-Phy, “a sophisticated, and yet much more accessible form of ransomware, with malicious actors no longer requiring advanced technical skills to carry out attacks.” This is a win for wannabe criminals who cannot code.
But it is also a win for the more elite coding criminals trying to avoid the eye of law enforcement. “The number of different entities involved adds another layer of complexity,” explains Chan. “While RaaS operators develop the infrastructure, access brokers focus on the identity posture and external access portals. To finish, the affiliate buying the RaaS handles the exfiltration of data to ransom, then deploying the actual ransomware payload.”
Mike McLellan, director of intelligence at Secureworks, continues: “New RaaS schemes will continue to emerge, but the landscape will be dominated by a handful of cybercriminal groups operating a small number of very active schemes.”
He expects the dominant schemes to increase their capacity to support more affiliates. “Experienced cybercriminals under sanction by the U.S. authorities will make use of existing RaaS schemes as a way of complicating attribution of their attacks. At the other end of the spectrum, less sophisticated affiliates will conduct simplistic ransomware deployments against small numbers of hosts, rather than full blown, enterprise-wide encryption events.”
SaaS
A study published by Group-IB on November 23, 2022, reported that 34 Russian-speaking groups were distributing infostealers as part of stealers-as-a-service operations. On average, each of these groups has some 200 active members.
Twenty-three of the groups distributed the Redline infostealer, while eight concentrated on Raccoon. “An infostealer,” explains Group-IB, “is a type of malware that collects credentials stored in browsers (including gaming accounts, email services, and social media), bank card details, and crypto wallet information from infected computers, and then sends all this data to the malware operator.”
Given that credentials remain the starting point for most cyberattacks, the demand is and will remain high. Group-IB suggests “Stealers are one of the top threats to watch in the coming year.” The company notes, “In the first seven months of 2022, the gangs collectively infected over 890,000 user devices and stole over 50 million passwords.”
While the targets are individual computers often used by gamers and remote workers, the potential knock-on effect against corporates should not be under-estimated. “The threat actor responsible for the most recent attack on Uber purchased the credentials compromised with the Raccoon stealer,” says Group-IB.
Uber itself explained the process in a statement: “An Uber EXT contractor had their account compromised by an attacker. It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials. The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.”
This demonstrates both the success of stealers and the failure of MFA to offer a complete access solution. The Uber instance seems to be a variation on what Tanium’s Vaughan describes as an MFA push exhaustion attack. “This,” he explains, “is where an attacker sends a large number of MFA acceptance prompts to a user’s phone which may cause them to click accept in order to stop the barrage of requests.”
This whole process of SaaS-delivered stealers acquiring credentials and attackers defeating MFA will persist and increase in 2023.
VaaS
Mark Warren, product specialist at Osirium, believes there is a new service offering on the rise: hacker teams offering victims-as-a-service. “For the last couple of years, threat actors have been team-based,” he explains. “Before cryptocurrency, they were lone wolves – or, occasionally, a loosely connected group who’d met online. Then they started working in teams, and because they were paid money those teams became tightly bonded. Over the next year we’ll see more teams divide out into skills-based groups.”
He uses REvil as an example of a successful RaaS model offering an end-to-end solution for attackers that included encryption software, access tools, helpdesks for victims, payment services and much more. “But,” he says, “there’s still a market for smaller teams that focus on specific attack skills. For example, they may breach defenses to acquire user or admin credentials, or even install malware to provide back door entry for use at a later date.”
Providers of such a service don’t need to take the risk of executing the attack or handling payment; they can make good money just by selling the access on dark web marketplaces. The access could be obtained via relatively risk-free phishing campaigns.
The approach could be modular. “Company intelligence may be another specialist service,” he suggests. “For example, knowing what cyber insurance a potential victim has could reveal the kinds of defenses they’ll have in place and even how much they’re insured for, so ransomware demands can be tailored.” In this sense, VaaS can be seen as an extension and expansion of the existing access broker criminal service.
And going forward…
Aamir Lakhani, cybersecurity researcher and practitioner for Fortinet’s FortiGuard Labs, adds further subtleties that will emerge. “Going forward, subscription based CaaS offerings could potentially provide additional revenue streams. In addition, threat actors will also begin to leverage emerging attack vectors such as deepfakes, offering these videos and audio recordings and related algorithms more broadly for purchase.”
The quasi-APT
This continuing professionalization of the criminal fraternity is causing the inevitable emergence of what Omer Carmi, VP of cyber threat intelligence at Cybersixgill, calls the quasi-APT. “In 2023,” he warns, “the quasi-APT’s emergence will escalate due to the democratization of cyberweapons and the democratization of access enabled by powerful technology now accessible to the cybercrime underground.”
The growth of specialized roles and CaaS means that for as little as $10, threat actors can purchase access and gain a steady foothold into their targets’ systems. They can get a beachhead into highly secured organizations without having to bother with the complex, drawn-out process of gaining initial access on their own.
“By outsourcing access, attackers of all levels of sophistication can leapfrog several steps, jumping yet another step closer to the level of an APT – hence the birth of the quasi-APT,” he warns.
The constantly improving sophistication and professionalization of the criminal underground will continue through 2023 and beyond. For example, Mikko Hypponen, chief research officer at WithSecure, sees artificial intelligence adding a new string to the criminal bow in 2023.
“Malware campaigns will move from human speed to machine speed,” he warns. “The most capable cybercrime groups will reach the capability to use simple machine learning techniques to automate the deployment and operation of malware campaigns, including automatic reaction to our defenses. Malware automation will include techniques like rewriting malicious emails, registering and creating malicious websites, and rewriting and compiling malware code to avoid detection.”
2023 may see the beginning of a new crime gang service: AI-as-a-Service.
About SecurityWeek Cyber Insights |At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
Authorities in the United States and Europe have announced the results of a major law enforcement operation targeting the Hive ransomware.
Agencies from around the world worked together to take down Hive’s leak website and servers. In addition, agents hacked into Hive systems in July 2022, allowing them to identify targets and obtain decryption keys that allowed victims to recover encrypted files without paying a ransom.
Authorities continue to investigate Hive in an effort to identify the cybercriminals involved in the operation, including developers, administrators and affiliates. The US announced that it’s offering rewards of up to $10 million for information on these and other hackers.
Several industry professionals have commented on various aspects of the Hive takedown, many noting that while Hive may have fallen, the threat actors behind the operation will likely continue their malicious activities.
And the feedback begins…
Kimberly Goody, Senior Manager, Mandiant Intelligence, Google Cloud:
“We’ve seen multiple actors using Hive ransomware since it emerged, but the most prolific actor over the past year, based on our visibility, was UNC2727. Their operations are notable because they have commonly impacted the healthcare sector. Hive also hasn’t been the only ransomware in their toolkit; in the past we’ve seen them employ Conti and MountLocker among others. This shows that some actors already have relationships within the broad ecosystem that could enable them to easily shift to using another brand as part of their operations.”
Crane Hassold, former FBI cyber psychological operations analyst, Head of Research, Abnormal Security:
“Unlike some other cyber threats, like business email compromise (BEC), the ransomware landscape is very centralized, meaning a relatively small number of groups are responsible for a majority of all the attacks. The silver lining to this top-heavy ecosystem is that disruptive actions against one of these primary groups, such as law enforcement takedowns, can have a significant impact on the overall landscape. Since Hive has been one of the biggest players in the ransomware space over the past year, I would expect this takedown to have a noticeable impact on ransomware volume, at least in the short-term.
Because of the increased pressure from global law enforcement and the likely regulatory controls of cryptocurrency, one of the biggest drivers of today’s ransomware landscape, it’s very possible that we’ll start to see ransomware actors pivot to other types of cyber attacks, like BEC. BEC is the most financially-impactful cyber threat today and, instead of using their initial access malware to gain a foothold on a company’s network, they could simply reconfigure the malware to establish access to employee mailboxes, which could lead to more scaled and sophisticated vendor email compromise attacks.”
Satnam Narang, Senior Research Engineer, Tenable:
“The actions undertaken by U.S. agencies to disrupt the Hive ransomware group operation from within is an unprecedented step in the fight against ransomware, which has steadily remained the biggest threat facing most organizations today. While this may signal the end of the Hive ransomware group, its members and affiliates remain a threat. If there’s anything we’ve learned after past disruptive actions against ransomware groups, it’s that other groups will rise to fill the void left behind. Affiliates, which are typically responsible for conducting most of these attacks, can easily pivot to other affiliate programs of groups that remain operational and ransomware group members can also take their knowledge to these groups. One of the key ways ransomware groups gain attention and notoriety is by publishing their successful attacks on data leak sites on the dark web. It wouldn’t surprise me if ransomware groups see the threat posed by maintaining these sites and stop publicly listing these attacks in an attempt to stay under the radar.”
Kurt Baumgartner, Principal Researcher, Kaspersky:
“The frequency of ransomware attacks have been up, while victim payments have reportedly gone down. This is a great trend, and this coordinated effort is what we need to see more of from law enforcement around the world. Some of this effort in letting the activity progress may seem somewhat controversial, but generating decryption keys for victims over time helps to exhaust the group’s resources.
Yes, in all likelihood, another gang is going to fill the void. It takes time and effort, but the incentives are in the hundreds of millions of dollars.
It’s somewhat surprising that the group housed their server resources in-country in Los Angeles. Apparently they thought everything was secured and hidden by the Tor network. Law enforcement put on display some impressive capabilities in infiltrating, seizing, and disrupting some of the gang’s resources. The actors behind this group have shown a reckless disregard for human life in their efforts to victimize schools and hospitals.”
Austin Berglas, Global Head of Professional Services, BlueVoyant:
“True dismantlement comes only when law enforcement can “put hands on” or arrest the individuals responsible. However, identifying the actual human beings behind the keyboard is a very difficult task. Many of these cyber criminals are adept at anonymizing their online communications, locations, and infrastructure – often operating in global locations where international law enforcement cooperation is non-existent and utilizing bullet-proof hosting providers, which are unresponsive to legal process.
There may be a temporary decline in ransomware activity in the wake of the website seizure as groups scramble to harden defenses and tighten their inner circles, but this will not make an overall, noticeable impact on global ransomware attacks. History has shown that ransomware gangs that disband either due to law enforcement actions, internal strife, or geo-political reasons will sometimes regroup under a different name. Conti, one of the most active ransomware gangs in recent history, shuttered operations soon after one of their members leaked internal Conti communications. Former members of the group are suspected of spinning off into newer groups such as BlackBasta and BlackByte.”
Jan Lovmand, CTO, BullWall:
“What is a significant win for law enforcement, could in reality be a road bump for the Hive Ransomware group. Whenever law enforcement starts paying too significant attention and effort to a particular group, they often scatter or reorganize under a different name. We have seen these seizes before only for the gang to surface with new extortion sites and ransomware names, or sometimes as several smaller groups. In the past they have seen these interruptions as temporary setbacks to a very lucrative business – similar to when a drug cartel has a shipment seized. They lose some income, get disrupted but rarely stop their criminal activity to become honest working individuals. Law enforcement in several regions have in the past recovered ransoms paid from other gangs or seized decryption keys, but what is different this time is how many victims the FBI have been able to help and for how long.”
Eric O’Neill, National Security Strategist, VMware:
“The disruption of the notorious Hive ransomware group demonstrates that the FBI has increased its ability to investigate and track threat actors across the Dark Web. This supports the commendable work the FBI’s IC3 is doing to track cybercrime attacks and coordinate efforts to repatriate stolen funds from cybercriminals, further reinforcing the importance of notifying the IC3 when a ransomware attack occurs.
It’s also worth noting how large the Dark Web has grown and how well-resourced new cyber crime syndicates, such as Hive, have become. The Dark Web is currently the third largest economy on Earth measured by GDP, which is larger than Japan or Germany. By 2025, this will grow larger than both countries combined. The FBI’s work to shut down Hive servers and repatriate encryption keys is a great step in the right direction, but it is only a step along a distant marathon to stop Dark Web-resourced cyber crime.”
Julia O’Toole, CEO, MyCena Security Solutions:
“When CISOs are reading the news about Hive’s takedown, it would be wise for them to also focus on the data being revealed about the gang’s victims and the financial losses they inflicted. The alarming numbers may be about Hive, but other ransomware gangs that have even more victims under their belt are still in operation and still pose a very real and credible threat today.
Organizations should use this takedown as a warning that ransomware is a damaging threat that is far from over. As the number one route to a ransomware attack is by gaining initial network access, network infrastructure access must be the number one priority.
When it comes to defense tools, access segmentation and encryption provide the greatest protection. These solutions stop data breaches from propagating through networks and morphing into ransomware attacks, while they also help prevent phishing attacks on employees, since they don’t know the passwords they use.”
Alfredo Hickman, Head of Information Security, Obsidian Security:
“Today’s news sends a very loud message to all cybercrime groups that if you are on this administration’s radar, they are going to be proactive – and if you get within reach of the American legal and justice system, they will hold you accountable. Some experts believe this approach still lacks teeth due to the risk/reward calculous that heavily favors cybercrime organizations operating outside the reach of the US justice system.
However, this more aggressive and proactive approach to disrupting cybercrime operations should cause pause and recalculation within some organizations. As these announcements continue to roll out and as related cybercrime operations continue to be disrupted and pressure is applied to host nations, I believe there will be fewer attacks on at least the most sensitive establishments, such as hospitals or critical infrastructures due to the near-universal condemnation and political blowback.”
Following the shutdown of the Hive ransomware operation by law enforcement, the US government has reminded the public that a reward of up to $10 million is offered for information on cybercriminals.
Authorities in the United States and Europe announced on Thursday the results of a major law enforcement operation targeting the Hive ransomware. More than a dozen agencies collaborated to take down the Tor-based leak website used by the group and other parts of its infrastructure, including servers located in Los Angeles.
The FBI revealed that Hive’s ‘control panel’ was hacked by agents in July 2022, allowing them to identify targets and obtain decryption keys that allowed victims to recover encrypted files. The FBI and Europol said they prevented the payment of more than $130 million to the cybercriminals.
The Hive ransomware operation was launched in June 2021 and it has since made more than 1,500 victims across roughly 80 countries. It’s believed that administrators and affiliates made approximately $100 million from ransom payments.
Authorities continue to investigate Hive in an effort to identify the threat actors involved in the operation, including developers, administrators and affiliates.
After the operation against Hive was announced on Thursday, the US State Department reiterated that it’s prepared to pay up to $10 million for information on the identity or location of foreign state-sponsored threat actors that have targeted critical infrastructure. This includes individuals linked to Hive.
At least some of the people involved in the Hive ransomware operation are believed to be Russian speakers. However, during a press conference announcing the law enforcement operation against Hive on Thursday, US officials refused to comment on potential ties to Russia, citing the ongoing investigation.
The FBI has at least temporarily dismantled the network of a prolific ransomware gang it infiltrated last year, saving victims including hospitals and school districts a potential $130 million in ransom payments, Attorney General Merrick Garland and other U.S. officials announced Thursday.
“Simply put, using lawful means we hacked the hackers,” Deputy Attorney General Lisa Monaco said at a news conference.
Officials said the targeted syndicate, known as Hive, operates one of the world’s top five ransomware networks. The FBI quietly gained access to its control panel in July and was able to obtain software keys to decrypt the network of some 1,300 victims globally, said FBI Director Christopher Wray. Officials credited German police and other international partners.
It was not immediately clear how the takedown will affect Hive’s long-term operations, however. Officials did not announce any arrests but said they were building a map of Hive’s administrators, who manage the software, and affiliates, who infect targets and negotiate with victims, to pursue prosecutions. “I think anyone involved with Hive should be concerned because this investigation is ongoing,” Wray said.
On Wednesday night, FBI agents seized computer infrastructure in Los Angeles that was used to support the network. Hive’s dark web site was also seized.
“Cybercrime is a constantly evolving threat, but as I have said before, the Justice Department will spare no resource to bring to justice anyone anywhere that targets the United States with a ransomware attack,” Wray said.
Garland said that thanks to the infiltration, led by the FBI’s Tampa office, agents were able in one instance to disrupt a Hive attack against a Texas school district, stopping it from making a $5 million payment.
The operation is a big win for the Justice Department. The ransomware scourge is the world’s biggest cybercrime headache with everything from Britain’s postal service and Ireland’s national health service to Costa Rica’s government crippled by Russian-speaking syndicates that enjoy Kremlin protection. The criminals lock up, or encrypt, victims’ computer networks, steal sensitive data and demand large sums.
As an example of Hive’s threat, Garland said it had prevented a hospital in the Midwest in 2021 from accepting new patients at the height of the COVID-19 epidemic.
A U.S. government advisory last year said Hive ransomware actors victimized over 1,300 companies worldwide from June 2021 through November 2022, receiving approximately $100 million in ransom payments. It said criminals using Hive ransomware targeted a wide range of businesses and critical infrastructure, including government, manufacturing and especially health care and public health facilities.
The threat captured the attention of the highest levels of the Biden administration two years ago after a series of high-profile attacks that threatened critical infrastructure and global industry. In May 2021, for instance, hackers targeted the nation’s largest fuel pipeline, causing the operators to briefly shut it down and make a multimillion-dollar ransom payment that the U.S. government largely recovered.
Federal officials have used a variety of tools to try to combat the problem, but conventional law enforcement measures such as arrests and prosecutions have done little to frustrate the criminals.
The FBI has obtained access to decryption keys before. It did so in the case of a major 2021 ransomware attack on Kaseya, a company whose software runs hundreds of websites. It took some heat, however, for waiting several weeks to help victims unlock afflicted networks.
The Hive ransomware operation appears to have been shut down as part of a major law enforcement operation involving agencies in 10 countries.
A message displayed in English and Russian on the Hive ransomware operation’s Tor-based website reads: The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Hive Ransomware.
Another message says the action was taken in coordination with Europol and authorities in Florida, which indicates that more details will likely be made available in the upcoming period by the Justice Department and Europol.
Until law enforcement agencies confirm the shutdown of Hive, there is a slight chance that the website seizure notice was posted by the cybercriminals themselves. Hacker groups falsely claiming to have been shut down by police is not unheard of.
However, Allan Liska, a ransomware expert working for threat intelligence company Recorded Future, reported that the Hive infrastructure was seized. Liska also posted an image showing that many well-known ransomware groups have fallen.
The US government reported in November 2022 that the Hive ransomware gang had hit more than 1,300 businesses and made an estimated $100 million in ransom payments.
Data collected by the DarkFeed deep web intelligence project shows that Hive was still active last week.
The Hive ransomware operation was launched in 2021. Offered under a ransomware-as-a-service (RaaS) model, the ransomware was often used against organizations in the healthcare sector, as well as other critical infrastructure.
The hackers used malware to encrypt the target’s files, but not before stealing data that could be used to pressure the victim into paying up.
A free decryptor for files encrypted with the Hive ransomware was released by a South Korean cybersecurity agency in the summer of 2022.
Video games developer Riot Games on Tuesday confirmed that source code was stolen from its development systems during a ransomware attack last week.
The incident was initially disclosed on January 20, when the company announced that systems in its development environment had been compromised and that the attack impacted its ability to release content.
“Earlier this week, systems in our development environment were compromised via a social engineering attack. We don’t have all the answers right now, but we wanted to communicate early and let you know there is no indication that player data or personal information was obtained,” the company announced last week.
On January 24, Riot Games revealed that ransomware was used in the attack and that source code for several games was stolen.
“Over the weekend, our analysis confirmed source code for League, TFT, and a legacy anticheat platform were exfiltrated by the attackers,” the games developer said.
The company reiterated that, while the development environment was disrupted, no player data or personal information was compromised in the attack.
The stolen source code, which also includes some experimental features, will likely lead to new cheats emerging, the company said.
“Our security teams and globally recognized external consultants continue to evaluate the attack and audit our systems. We’ve also notified law enforcement and are in active cooperation with them as they investigate the attack and the group behind it,” Riot Games added.
The game developer also revealed that it received a ransom demand, but noted that it has no intention to pay the attackers. The company has promised to publish a detailed report of the incident.
According to Motherboard, the attackers wrote in the ransom note that they were able to steal the anti-cheat source code and game code for League of Legends and for the usermode anti-cheat Packman. The attackers are demanding $10 million in return for not sharing the code publicly.
