Naked Security Naked Security

Hive ransomware servers shut down at last, says FBI

Unfortunately, you've probably already heard the cliche that "cybercrime abhors a vacuum"...

Six months ago, according to the US Department of Justice (DOJ), the Federal Bureau of Investigation (FBI) infiltrated the Hive ransomware gang and started “stealing back” the decryption keys for victims whose files had been scrambled.

As you are almost certainly, and sadly, aware, ransomware attacks these days typically involve two associated groups of cybercriminals.

These groups often “know” each other only by nicknames, and “meet” only online, using anonymity tools to avoid actually knowing (or revealing, whether by accident or design) each others’ real-life identities and locations.

The core gang members stay largely in the background, creating malicious programs that scramble (or otherwise block access to) all your important files, using an access key that they keep to themselves after the damage is done.

They also run one or more darkweb “payment pages” where victims, loosely speaking, go to pay blackmail money in return for those access keys, thus allowing them to unlock their frozen computers, and get their companies running again.

Crimeware-as-a-Service

This core group is surrounded by a possibly large and ever-changing group of “affiliates” – partners in crime who break into other people’s networks in order to implant the core gang’s “attack programs” as widely and deeply as possible.

Their goal, motivated by a “commission fee” that may be as much as 80% of the total blackmail paid, is to create such widespread and sudden disruption to a business that they can not only demand an eye-watering extortion payment, but also to leave the victim with little choice but to pay up.

This arrangement is generally known as RaaS or CaaS, short for ransomware (or crimeware) as-a-service, a name that stands as an ironic reminder that the cybercriminal underworld is happy to copy the affiliate or franchise model used by many legitimate businesses.

Recovering without paying

There are three main ways that victims can get their businesses back on the rails without paying up after a successful network-wide file-lockout attack:

  • Have a robust and efficient recovery plan. Generally speaking, this means not only having a top-notch process for making backups, but also knowing how to keep at least one backup copy of everything safe from the ransomware affiliates (they like nothing better than to find and destroy your online backups before unleashing the final phase of their attack). You also need to have practised how to restore those backups reliably and quickly enough that doing so is a viable alternative to simply paying up anyway.
  • Find a flaw in the file lockout process used by the attackers. Usually, ransomware crooks “lock” your files by encrypting them with the very same sort of secure cryptography that you might use yourself when securing your web traffic or your own backups. Occasionally, however, the core gang makes one or more programming blunders that may allow you to use a free tool to “crack” the decryption and recover without paying. Be aware, however, that this path to recovery happens by luck, not by design.
  • Get hold of the actual recovery passwords or keys in some other way. Although this is rare, there are several ways it can happen, such as: identifying a turncoat inside the gang who will leak the keys in a fit of conscience or a burst of spite; finding a network security blunder allowing a counter-attack to extract the keys from the crooks’ own hidden servers; or infiltrating the gang and getting undercover access to the needed data in the criminals’ network.

The last of these, infiltration, is what the DOJ says it’s been able to do for at least some Hive victims since July 2022, apparently short-circuiting blackmail demands totalling more than $130 million dollars, relating to more than 300 individual attacks, in just six months.

We’re assuming that the $130 million figure is based on the attackers’ initial demands; ransomware crooks sometimes end up agreeing to lower payments, preferring to take something rather than nothing, although the “discounts” offered often seem to reduce the payments only from unaffordably vast to eye-wateringly huge. The mean average demand based on the figures above is $130M/300, or close to $450,000 per victim.

Hospitals considered fair targets

As the DOJ points out, many ransomware gangs in general, and the Hive crew in particular, treat any and all networks as fair game for blackmail, attacking publicly-funded organisations such as schools and hospitals with just the same vigour that they use against the wealthiest commercial companies:

[T]he Hive ransomware group […] has targeted more than 1500 victims in over 80 countries around the world, including hospitals, school districts, financial firms, and critical infrastructure.

Unfortunately, even though infiltrating a modern cybercrime gang might give you fantastic insights into the gang’s TTPs (tools, techniques and procedures), and – as in this case – give you a chance of disrupting their operations by subverting the blackmail process on which those eye-watering extortion demands are based…

…knowing even a gang administrator’s password to the criminals’ darkweb-based IT infrastructure generally doesn’t tell you where that infrastructure is based.

Bidirectional pseudoanonymity

One of the great/terrible aspects of the darkweb (depending on why you’re using it, and which side you are on), notably the Tor (short for the onion router) network that is widely favoured by today’s ransomware criminals, is what you might call its bidirectional pseudoanonymity.

The darkweb doesn’t just shield the identity and location of the users who connect to servers hosted on it, but also hides the location of the servers themselves from the clients who visit.

The server (for the most part, at least) doesn’t know who you are when you log in, which is what attracts clients such as cybercrime affiliates and would-be darkweb drug buyers, because they tend to feel that they’ll be able to cut-and-run safely, even if the core gang operators get busted.

Similarly, rogue server operators are attracted by the fact that even if their clients, affiliates or own sysadmins get busted, or turned, or hacked by law enforcement, they won’t be able to reveal who the core gang members are, or where they host their malicious online activities.

Takedown at last

Well, it seems that the reason for yesterday’s DOJ press release is that FBI investigators, with the assistance of law enforcement in both Germany and the Netherlands, have now identified, located and seized the darkweb servers that the Hive gang were using:

Finally, the department announced today[2023-01-26] that, in coordination with German law enforcement (the German Federal Criminal Police and Reutlingen Police Headquarters-CID Esslingen) and the Netherlands National High Tech Crime Unit, it has seized control of the servers and websites that Hive uses to communicate with its members, disrupting Hive’s ability to attack and extort victims.

What to do?

We wrote this article to applaud the FBI and its law enforcement partners in Europe for getting this far…

…investigating, infiltrating, reconnoitering, and finally striking to implode the current infrastructure of this notorious ransomware crew, with their half-million-dollars-on-average blackmail demands, and their willingness to take out hospitals just as readily as they go after anyone else’s network.

Unfortunately, you’ve probably already heard the cliche that cybercrime abhors a vacuum, and that is sadly true for ransomware operators as much as it is for any other aspect of online criminality.

If the core gang members aren’t arrested, they may simply lie low for a while, and then spring up under a new name (or perhaps even deliberately and arrogantly revive their old “brand”) with new servers, accessible once again on the darkweb but at a new and now unknown location.

Or other ransomware gangs will simply ramp up their operations, hoping to attract some of the “affiliates” that were suddenly left without their lucratively unlawful revenue stream.

Either way, takedowns like this are something we urgently need, that we need to cheer when they happen, but that are unlikely to put more than a temporary dent in cybercriminality as a whole.

To reduce the amount of money that ransomware crooks are sucking out of our economy, we need to aim for cybercrime prevention, not merely cure.

Detecting, responding to and thus preventing potential ransomware attacks before they start, or while they’re unfolding, or even at the very last moment, when the crooks to try unleash the final file-scrambling process across your network, is always better than the stress of trying to recover from an actual attack.

As Mr Miagi, of Karate Kid fame, knowingly remarked, “Best way to avoid punch – no be there.”


LISTEN NOW: A DAY IN THE LIFE OF A CYBERCRIME FIGHTER

Paul Ducklin talks to Peter Mackenzie, Director of Incident Response at Sophos, in a cybersecurity session that will alarm, amuse and educate you, all in equal measure.

Learn how to stop ransomware crooks before they stop you! (Full transcript available.)

Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.


Short of time or expertise to take care of cybersecurity threat response? Worried that cybersecurity will end up distracting you from all the other things you need to do? Not sure how to respond to security reports from employees who are genuinely keen to help?

Learn more about Sophos Managed Detection and Response:
24/7 threat hunting, detection, and response  ▶