FBI Pwns Ransomware Gang… Yes You Read That Right

The FBI revealed yesterday that it had shut down the prolific ransomware gang called Hive. To do this, they hacked the hackers. Which I have to admit is a novel approach:

At a news conference, U.S. Attorney General Merrick Garland, FBI Director Christopher Wray, and Deputy U.S. Attorney General Lisa Monaco said government hackers broke into Hive’s network and put the gang under surveillance, surreptitiously stealing the digital keys the group used to unlock victim organizations’ data.

They were then able to alert victims in advance so they could take steps to protect their systems before Hive demanded the payments.

“Using lawful means, we hacked the hackers,” Monaco told reporters. “We turned the tables on Hive.”

News of the takedown first leaked on Thursday morning when Hive’s website was replaced with a flashing message that said: “The Federal Bureau of Investigation seized this site as part of coordinated law enforcement action taken against Hive Ransomware.”

That is impressive. But I should point something out. There were no arrests. So the gang is still out there, and they perhaps they may be rebuilding to launch new attacks. Or they could be scared and not surface again. We’ll have to see.

UPDATE: Brian Johnson, Chief Security Officer of Armorblox had this to say:

This action from the US agencies is definitely a step in the right direction. Specifically looking at attack vectors like ransomware and credential phishing across our 58,000+ tenants, we see a concentration into a few different threat actors at the top – including Hive – so taking them out will have a large impact on the number of attacks that organizations would see. 

At the same time, precisely because of regulatory and law enforcement actions, we are seeing threat actors moving away from ransomware and crypto based attacks to easier attack methods to compromise organizations and steal money or credentials. In the past two years, the two most common cyber insurance claims have been business email compromise and vendor fraud, not ransomware. The arrival of chatGPT is showing attackers the art of the possible when it comes to using language models to create more realistic and successful phishing and business compromise attacks, and in response organizations will need to do the same to defend themselves against the next wave of attacks.

Leave a Reply

%d bloggers like this: