fbpx
Wikipedia

Hive (ransomware)

May 03, 2024

Hive (also known as the Hive ransomware group) was a ransomware as a service (RaaS) operation carried out by the eponymous cybercrime organization between June 2021 and January 2023. The group's purpose was to attack mainly public institutions to subsequently demand ransom for release of hijacked data.[1]

In January 2023, following a joint US–German investigation[2] involving 13 law enforcement agencies,[3] the United States announced that the FBI had "hacked the hackers" over several months, resulting in seizure of the Hive ransomware group's servers, effectively shuttering the criminal enterprise.[4][5] The Hive ransomware group had extorted over $100 million from about 1,500 victims in more than 80 countries when dismantled by law enforcement.[6][7][8] The investigation continues, with the US State Department adding a $US10 million bounty for information linking Hive ransomware to any foreign government.[9]

Method of operation edit

Hive employed a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. According to the Federal Bureau of Investigation (FBI), it functioned as affiliate-based ransomware, using multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access, and Remote Desktop Protocol (RDP) once a network was infiltrated.[10] Using locker malware[11] and operating as a RaaS platform,[12] Hive used Double Extortion techniques, in which operators install locker malware to take the data of a victim entity, then encrypt it so that it becomes useless to the victims for conducting business. Group operators then threaten to publish the stolen data on its dark web Tor site – HiveLeaks – unless the ransom is paid.[13] The group has also used "triple extortion" tactics, seeking to extort money from anyone affected by a data disclosure of the victim organization's data.[14]

The Hive mainly targets energy, healthcare, financial, media, and education sectors, and became notorious for attacking and crippling critical infrastructure.[13] According to cybersecurity firm Paloaltonetworks in late 2022, the ransomware drops two batch scripts: hive.bat, which tries to delete itself, then shadow.bat, which deletes any shadow copies of the system. It then adds a .hive extension to encrypted files, along with its ransom note, entitled "HOW_TO_DECRYPT.txt", which lists instructions for preventing data loss. A generated login credential is included to instigate online communications between the victim and Hive hackers, labelled as its "sales department". A Tor link directs the victim to a login page submit the provided credentials, which opens a chat room.[13]

History edit

Emergence and growing profile edit

Hive ransomware first became apparent in June 2021.[15] Two months later, ZDNet reported that Hive had attacked at least 28 healthcare organizations in the United States, including clinics and hospitals across Ohio and West Virginia.[16] In August 2021, the FBI released urgent updates warning of the risks from Hive ransomware, as did INCIBE in Spain, the following January.[17] Also in August 2021, the FBI released a flash alert on the Hive ransomware attacks that includes technical details and indicators of compromise associated with the operations of the gang.[10]

In December 2021, Group-IB Threat Intelligence analysts determined that the Hive ransomware group communicated in Russian, though without information regarding its operational location, and that, as of October 16, 2021, at least 355 companies had been victims of Hive ransomware during the previous six months, the majority being in the United States, with ransom obtained from over 100 victims undertaking to regain control of digital infrastructures.[18][19] Hive's administrator panel showed that its affiliates had breached more than 350 organizations over four months with an average of three companies attacked every day since Hive operations were revealed in late June.[20]

Chainalysis ranked Hive eighth on the list of highest ransomware revenue in February 2022.[17] In July 2022, Malwarebytes ranked Hive as the third-most active ransomware group, noting that the group was evolving and that Microsoft had issued a warning stating that HIVE had upgraded the malware to the Rust programming language, upgrading to a more complex encryption method.[citation needed]

Conti links edit

See also: Conti (ransomware)

According to Advanced Intelligent Systems expert Yelisey Boguslavskiy and BleepingComputer, Hive had links to Conti ransomware group since at least November 2021,[21][22] with some Hive members working for both groups.[22] According to Boguslavskiy, Hive was actively using the initial attack access provided by Conti.[21]

In May 2022, BleepingComputer reported that Conti had partnered with Hive and several other well-known ransomware gangs, including HelloKitty, AvosLocker, BlackCat and BlackByte,[23] with some of the Conti hackers migrating to these organizations, including Hive,[21][24] though the rival group[25] has denied having any connection with Conti despite which, once the process of closing operations began and its hackers reached Hive, it then began to employ the tactic of publishing leaked data on the deep web, just as Conti had.[21]

Later in May, Conti announced that they would begin a shutdown process,[11] days after the DOJ announced two indictments of an active Conti operator and Russian national on May 16, 2022,[26] then partnered with Hive to attack the Costa Rica public health service and Costa Rican Social Security Fund (CCSS) the following week.[11]

Unlike the Conti Group, Hive was not associated with direct support for the Russian invasion of Ukraine, even though the ransom payment to Hive is likely to be received by the same people within Conti who claimed the group's collective alignment with the Russian government.[21] Boguslavskiy then told BleepingComputer that evidence of HIVE actively via both the initial attack accesses secured from Conti, and via the services of Conti's pen-testers.[27]

Discovery of vulnerabilities and FBI infiltration edit

In February 2022, four researchers from Kookmin University in South Korea discovered a vulnerability in the Hive ransomware encryption algorithm, allowing them to obtain the master key and recover hijacked information.[28][17] In May, a Cisco report indicated that Hive criminals demonstrated low security when revealing operational details, including regarding its encryption process, and employs any and all means to convince its victims to pay, including offering bribes to victims' negotiators after ransom is paid.[29]

In July 2022, the FBI infiltrated Hive. Undercover Tampa, Florida Field Office agents acquired full access and acted as a subsidiary in the Hive network undetected for seven months, while gathering evidence and secretly generating decryption keys for victims to recover their data. The FBI worked with victims to identify Hive's targets, then entered Hive's systems after obtaining court orders and search warrants before eventual seizure of Hive's digital infrastructure,[30] which its members used to communicate and carry out the attacks.[31]

In November 2022, Cybersecurity and Infrastructure Security Agency (CISA) issued a Cybersecurity Advisory detailing Hive ransomware mitigation methods, noting that the group had, since June 2021, then victimized over 1,300 companies globally, and had acquired approximately US$100 million in ransom payments.[32] Two months later, when dismantled by law enforcement, Hive had added 200 more companies as to victims in 80 countries.[7]

Defeat in cyberspace edit

On January 26, 2023, United States Attorney General Merrick Garland personally announced[4][5] that, in concert with law enforcement from 13 countries,[3] including Europol and German and Dutch police agencies, Hive had been successfully infiltrated and dismantled through server seizures, after having obtained over 1000 decryption keys,[33] which the agency had provided to 336 victims prior to shuttering the Hive digital infrastructure. The FBI investigation had uncovered two backend computer servers used by the group to store data in Los Angeles, which were seized. Deputy Attorney General Lisa Monaco explained the investigation as having legally "hacked the hackers". FBI director Christopher A. Wray reported that only about 20% of American victim companies had reported the breaches. No ransom proceeds were recovered and no arrests were made. The investigation continues.[2][4][5][31][33] The same day, the US State Department issued notice of a $US10 million bounty for information linking Hive ransomware to foreign governments, under its Transnational Organized Crime Rewards Program (TOCRP).[9]

2023 arrests edit

As part of an Europol investigation, on 21 November 2023 Ukraine authorities searched 30 objects in western Ukraine and apprehended 5 men, including the alleged leader of the group, a 32 year old. They confiscated an unspecified amount of bitcoins equivalent to a six-figure amount of euros from one of the suspects. Europol stated that additional suspects were still under investigation.[34]

Attacks edit

March 2021—CNA Insurance edit

CNA paid more than $40 million in late March to regain control of its network after a Hive ransomware attack. The Chicago-based company paid the hackers about two weeks after a trove of company data was stolen, and CNA officials were locked out of their network.[35] In 2022, it was reported to be the largest disclosed ransomware payment at that time.[36]

The insurer stated that its investigation concluded that the hackers responsible for the cyberattack were from a group called Phoenix. They had used malware called Phoenix Locker, a variation of the Hades ransomware used by Russian cybercriminal group Evil Corp.[37]

August 2021—Memorial Health System edit

Memorial Healthcare System was forced to have its hospitals use paper records, cancel procedures, and refer patients to other non-compromised facilities. The organization paid ransom to Hive to regain access to its systems.[16]

April 2022—Microsoft Exchange servers edit

Investigation by cybersecurity firm revealed, in April 2022, that an affiliate of the Hive ransomware group was targeting Microsoft Exchange servers with vulnerability to ProxyShell security issues, deploying a variety of backdoors, such as Cobalt Strike beacon, subsequently executing network reconnaissance to steal administrator account credentials, exfiltrate valuable data and deploy the file-encrypting payload.[38]

May 2022—Navarre public institutions edit

Also in May 2022, Hive attacked the Community of Navarra, Spain, forcing a hundred institutions to use pen and paper while systems were recovered.[39][40]

May 2022—Bank of Zambia edit

When Hive attacked the Bank of Zambia[41] in May 2022, it refused to pay the ransom, stating that it had means to recover its systems, and posted a link to a dick pic on the extortionists' chat.[42][41][43]

May–June 2022—Costa Rica edit

Main article: 2022 Costa Rican ransomware attack

Conti announced that they would begin a shutdown process[11] days after the DOJ announced its two indictments of an active Conti operator and Russian national on May 16, 2022.[26] After the Conti digital infrastructure was reset on May 19, it became evident that Conti, claiming a goal of overthrowing the government, partnered with Hive to attack the Costa Rica public health service and Costa Rican Social Security Fund (CCSS).[11] On May 31 at about 2:00 am (UTC-6:00), the Costa Rican Social Security Fund (CCSS) detected anomalous information flows in its systems and immediately proceeded to turn off all its critical systems, including the Single Digital Health File (Expediente Digital Único en Salud, EDUS) and the Centralized Collection System. Some printers in the institution printed messages with random codes or characters,[44] while others printed default instructions from the Hive ransomware group on how to regain access to systems.[45] During the attack, it appeared that Hive alone was responsible for taking down 800 government-run servers and thousands of user terminals.[13] CCSS President Álvaro Ramos Chaves stated that databases with sensitive information were not compromised, though at least 30 of the institution's 1,500 servers had been contaminated with ransomware.[45]

August 2022—Bell Technical Solutions edit

Bell Canada telecommunications company subsidiary Bell Technical Solutions was attacked by Hive ransomware in August 2022.[46] Hive leaked the company's stolen data.[14]

November 2022—Intersport edit

Reported in December, Swiss sporting goods maker Intersport, with over 700 outlets, was breached by Hive in November, with details of the breach seen only on the dark web, according to French-language media outlet Numerama. Hive demanded that the company pay an undisclosed amount the same day. A sample file allegedly leaked on the dark web by Hive and scrutinized by Numerama contains passports, payslips, and other personal information regarding Intersport customers, which is seen as common practice among ransomware gangs. Typically, the ransomware gang locks or encrypts all company data prior to threatening to publish it online if ransom demands are not met.[47]

See also edit

References edit

  1. ^ "Hive ransomware group claims to steal California health plan patient data". VentureBeat. March 29, 2022. from the original on May 31, 2022. Retrieved June 15, 2022.
  2. ^ a b "'We Hacked the Hackers': Hive Ransomware Seized in Global Sting". Bloomberg.com. 2023-01-26. Retrieved 2023-06-21.
  3. ^ a b Glover, Claudia (2023-01-26). "Hive ransomware gang's infrastructure taken down by the FBI and Europol". Tech Monitor. Retrieved 2023-06-21.
  4. ^ a b c Menn, Joseph; Stein, Perry; Schaffer, Aaron (2023-01-26). "FBI shuts down ransomware gang that targeted schools and hospitals". Washington Post. ISSN 0190-8286. Retrieved 2023-06-21.
  5. ^ a b c Mclaughlin, Jenna (January 26, 2023). "FBI says it 'hacked the hackers' to shut down major ransomware group". National Public Radio. Retrieved June 21, 2023.
  6. ^ "Office of Public Affairs | U.S. Department of Justice Disrupts Hive Ransomware Variant | United States Department of Justice". www.justice.gov. 2023-01-26. Retrieved 2023-06-21.
  7. ^ a b Bushwick, Sophie (April 2023). "FBI Takes Down Hive Criminal Ransomware Group". Scientific American. Retrieved 2023-06-21.
  8. ^ "US shuts down major ransomware network Hive". www.aljazeera.com. Retrieved 2023-06-21.
  9. ^ a b "US offers $10M bounty for Hive ransomware links to foreign governments". BleepingComputer. Retrieved 2023-06-21.
  10. ^ a b "Indicators of Compromise Associated with Hive Ransomware" (PDF). August 25, 2021. (PDF) from the original on May 24, 2022. Retrieved June 8, 2023.
  11. ^ a b c d e "Conti Ransomware Operation Shut Down After Brand Becomes Toxic". www.securityweek.com. 23 May 2022. from the original on June 8, 2022. Retrieved June 15, 2022.
  12. ^ Shakir, Umar (2023-01-27). "FBI says it "hacked the hackers" of a ransomware service, saving victims $130 million". The Verge. Retrieved 2023-06-21.
  13. ^ a b c d "Hive Ransomware Group claims responsibility for Tata Power Data Breach". TimesNow. 2022-10-25. Retrieved 2023-06-21.
  14. ^ a b Singh, Carly Page and Jagmeet (2022-10-25). "Hive ransomware gang leaks data stolen during Tata Power cyberattack". TechCrunch. Retrieved 2023-08-03.
  15. ^ "FBI issues alert about Hive ransomware". Healthcare IT News. September 2, 2021. from the original on May 20, 2022. Retrieved June 7, 2022.
  16. ^ a b "FBI releases alert about Hive ransomware after attack on hospital system in Ohio and West Virginia". ZDNET. Retrieved 2023-06-21.
  17. ^ a b c "Researchers decrypt Hive ransomware, recover up to 98% of files". The Stack. 2022-02-21. Retrieved 2023-06-21.
  18. ^ "Inside the Hive". Group-IB. December 9, 2021.
  19. ^ "Hive ransomware claims hundreds of victims in 6-month span". TechTarget.com. from the original on June 5, 2022. Retrieved June 7, 2022.
  20. ^ "Hive ransomware enters big league with hundreds breached in four months". BleepingComputer. Retrieved 2023-06-21.
  21. ^ a b c d e "Costa Rica's public health agency hit by Hive ransomware". BleepingComputer. from the original on June 6, 2022. Retrieved June 7, 2022.
  22. ^ a b "FBI: Hive ransomware extorted $100M from over 1,300 victims". BleepingComputer. Retrieved 2023-06-21.
  23. ^ "Conti ransomware shuts down operation, rebrands into smaller units". BleepingComputer. Retrieved 2023-06-21.
  24. ^ "Did the Conti ransomware crew orchestrate its own demise?". ComputerWeekly.com. from the original on May 30, 2022. Retrieved June 7, 2022.
  25. ^ "Hive Ransomware Shut Down by Law Enforcement Operation; FBI in Possession of Decryption Keys, Group's Public-Facing Website". CPO Magazine. Retrieved June 4, 2023.
  26. ^ a b "District of New Jersey | Russian National Charged with Ransomware Attacks Against Critical Infrastructure | United States Department of Justice". www.justice.gov. 2023-05-16. Retrieved 2023-06-21.
  27. ^ "Hive ransomware claims cyberattack on Bell Canada subsidiary". BleepingComputer. Retrieved 2023-06-21.
  28. ^ Kim, Giyoon; Kim, Soram; Kang, Soojin; Kim, Jongsung (2022). "A Method for Decrypting Data Infected with Hive Ransomware". arXiv:2202.08477 [cs.CR].
  29. ^ McKay, Kendall. "Conti and Hive ransomware operations: Leveraging victim chats for insights" (PDF). Talos Intelligence. (PDF) from the original on May 31, 2022. Retrieved June 8, 2022.
  30. ^ "How the FBI prevented $130 million in crypto ransomware attacks by hacking the hackers behind Hive". Fortune Crypto. Retrieved 2023-05-22.
  31. ^ a b Lowell, Hugo (2023-01-26). "US authorities seize servers for Hive ransomware group". The Guardian. ISSN 0261-3077. Retrieved 2023-06-21.
  32. ^ "#StopRansomware: Hive Ransomware | CISA". www.cisa.gov. 2022-11-25. Retrieved 2023-06-21.
  33. ^ a b "US, Europol seize Hive ransomware servers and leak sites: 'We hacked the hackers'". SC Media. 2023-01-26. Retrieved 2023-06-21.
  34. ^ "Ermittler nehmen mutmaßliche Hacker in der Ukraine fest". tagesschau.de (in German). Retrieved 2023-11-28.
  35. ^ Mehrotra, Kartikay; Turton, William (May 21, 2021). "CNA Financial Paid $40 Million in Ransom After March Cyberattack". Bloomberg Businessweek. Retrieved May 22, 2021.
  36. ^ Nir Kshetri; Jeffrey Voas (March 2022). "Ransomware: Pay to Play?". Computer. 55 (3): 11–13. doi:10.1109/MC.2021.3126529. ISSN 0018-9162. Wikidata Q112073068.
  37. ^ "CNA pays $40 million ransom to lift malware from its systems". www.insurancebusinessmag.com. Retrieved 2023-06-21.
  38. ^ "Microsoft Exchange servers hacked to deploy Hive ransomware". BleepingComputer. Retrieved 2023-06-21.
  39. ^ Otazu, Amaia (May 28, 2022). "Un ataque informático devuelve a la era del papel a 179 entidades navarras". El País (in Spanish). from the original on June 5, 2022. Retrieved June 7, 2022.
  40. ^ "El culpable del hackeo a las webs municipales navarras es el ransomware Hive". Pamplona Actual (in Spanish). 30 May 2022. from the original on May 30, 2022. Retrieved June 7, 2022.
  41. ^ a b "Ransomware Attackers Get Short Shrift From Zambian Central Bank". Bloomberg.com. May 18, 2022. Retrieved June 7, 2022.
  42. ^ "El Banco de Zambia responde con una "fotopolla" a la extorsion de los ciberdelincuentes que les atacaron". derechodelared.com (in Spanish). May 25, 2022. from the original on May 25, 2022. Retrieved June 7, 2022.
  43. ^ "National bank hit by ransomware trolls hackers with dick pics". BleepingComputer. from the original on June 1, 2022. Retrieved June 7, 2022.
  44. ^ "FOTOS Y VIDEO: Los extraños mensajes de las impresoras de la CCSS tras hackeo". CRHoy.com (in Spanish). from the original on May 31, 2022. Retrieved June 8, 2022.
  45. ^ a b "Hive Ransomware Group, el grupo de cibercriminales que atacó la CCSS y tiene predilección por instituciones de salud". delfino.cr (in Spanish). from the original on May 31, 2022. Retrieved June 8, 2022.
  46. ^ "Hive ransomware claims cyberattack on Bell Canada subsidiary". BleepingComputer. Retrieved 2023-07-29.
  47. ^ Black, Damien (Dec 6, 2022). "Hive adds French sports firm to list of victims, local media claims". Cybernews. Retrieved July 23, 2023.

May 03, 2024
hive, ransomware, hive, also, known, hive, ransomware, group, ransomware, service, raas, operation, carried, eponymous, cybercrime, organization, between, june, 2021, january, 2023, group, purpose, attack, mainly, public, institutions, subsequently, demand, ra. Hive also known as the Hive ransomware group was a ransomware as a service RaaS operation carried out by the eponymous cybercrime organization between June 2021 and January 2023 The group s purpose was to attack mainly public institutions to subsequently demand ransom for release of hijacked data 1 In January 2023 following a joint US German investigation 2 involving 13 law enforcement agencies 3 the United States announced that the FBI had hacked the hackers over several months resulting in seizure of the Hive ransomware group s servers effectively shuttering the criminal enterprise 4 5 The Hive ransomware group had extorted over 100 million from about 1 500 victims in more than 80 countries when dismantled by law enforcement 6 7 8 The investigation continues with the US State Department adding a US10 million bounty for information linking Hive ransomware to any foreign government 9 Contents 1 Method of operation 2 History 2 1 Emergence and growing profile 2 2 Conti links 2 3 Discovery of vulnerabilities and FBI infiltration 2 4 Defeat in cyberspace 2 5 2023 arrests 3 Attacks 3 1 March 2021 CNA Insurance 3 2 August 2021 Memorial Health System 3 3 April 2022 Microsoft Exchange servers 3 4 May 2022 Navarre public institutions 3 5 May 2022 Bank of Zambia 3 6 May June 2022 Costa Rica 3 7 August 2022 Bell Technical Solutions 3 8 November 2022 Intersport 4 See also 5 ReferencesMethod of operation editHive employed a wide variety of tactics techniques and procedures TTPs creating significant challenges for defense and mitigation According to the Federal Bureau of Investigation FBI it functioned as affiliate based ransomware using multiple mechanisms to compromise business networks including phishing emails with malicious attachments to gain access and Remote Desktop Protocol RDP once a network was infiltrated 10 Using locker malware 11 and operating as a RaaS platform 12 Hive used Double Extortion techniques in which operators install locker malware to take the data of a victim entity then encrypt it so that it becomes useless to the victims for conducting business Group operators then threaten to publish the stolen data on its dark web Tor site HiveLeaks unless the ransom is paid 13 The group has also used triple extortion tactics seeking to extort money from anyone affected by a data disclosure of the victim organization s data 14 The Hive mainly targets energy healthcare financial media and education sectors and became notorious for attacking and crippling critical infrastructure 13 According to cybersecurity firm Paloaltonetworks in late 2022 the ransomware drops two batch scripts hive bat which tries to delete itself then shadow bat which deletes any shadow copies of the system It then adds a hive extension to encrypted files along with its ransom note entitled HOW TO DECRYPT txt which lists instructions for preventing data loss A generated login credential is included to instigate online communications between the victim and Hive hackers labelled as its sales department A Tor link directs the victim to a login page submit the provided credentials which opens a chat room 13 History editEmergence and growing profile edit Hive ransomware first became apparent in June 2021 15 Two months later ZDNet reported that Hive had attacked at least 28 healthcare organizations in the United States including clinics and hospitals across Ohio and West Virginia 16 In August 2021 the FBI released urgent updates warning of the risks from Hive ransomware as did INCIBE in Spain the following January 17 Also in August 2021 the FBI released a flash alert on the Hive ransomware attacks that includes technical details and indicators of compromise associated with the operations of the gang 10 In December 2021 Group IB Threat Intelligence analysts determined that the Hive ransomware group communicated in Russian though without information regarding its operational location and that as of October 16 2021 at least 355 companies had been victims of Hive ransomware during the previous six months the majority being in the United States with ransom obtained from over 100 victims undertaking to regain control of digital infrastructures 18 19 Hive s administrator panel showed that its affiliates had breached more than 350 organizations over four months with an average of three companies attacked every day since Hive operations were revealed in late June 20 Chainalysis ranked Hive eighth on the list of highest ransomware revenue in February 2022 17 In July 2022 Malwarebytes ranked Hive as the third most active ransomware group noting that the group was evolving and that Microsoft had issued a warning stating that HIVE had upgraded the malware to the Rust programming language upgrading to a more complex encryption method citation needed Conti links edit See also Conti ransomware According to Advanced Intelligent Systems expert Yelisey Boguslavskiy and BleepingComputer Hive had links to Conti ransomware group since at least November 2021 21 22 with some Hive members working for both groups 22 According to Boguslavskiy Hive was actively using the initial attack access provided by Conti 21 In May 2022 BleepingComputer reported that Conti had partnered with Hive and several other well known ransomware gangs including HelloKitty AvosLocker BlackCat and BlackByte 23 with some of the Conti hackers migrating to these organizations including Hive 21 24 though the rival group 25 has denied having any connection with Conti despite which once the process of closing operations began and its hackers reached Hive it then began to employ the tactic of publishing leaked data on the deep web just as Conti had 21 Later in May Conti announced that they would begin a shutdown process 11 days after the DOJ announced two indictments of an active Conti operator and Russian national on May 16 2022 26 then partnered with Hive to attack the Costa Rica public health service and Costa Rican Social Security Fund CCSS the following week 11 Unlike the Conti Group Hive was not associated with direct support for the Russian invasion of Ukraine even though the ransom payment to Hive is likely to be received by the same people within Conti who claimed the group s collective alignment with the Russian government 21 Boguslavskiy then told BleepingComputer that evidence of HIVE actively via both the initial attack accesses secured from Conti and via the services of Conti s pen testers 27 Discovery of vulnerabilities and FBI infiltration edit In February 2022 four researchers from Kookmin University in South Korea discovered a vulnerability in the Hive ransomware encryption algorithm allowing them to obtain the master key and recover hijacked information 28 17 In May a Cisco report indicated that Hive criminals demonstrated low security when revealing operational details including regarding its encryption process and employs any and all means to convince its victims to pay including offering bribes to victims negotiators after ransom is paid 29 In July 2022 the FBI infiltrated Hive Undercover Tampa Florida Field Office agents acquired full access and acted as a subsidiary in the Hive network undetected for seven months while gathering evidence and secretly generating decryption keys for victims to recover their data The FBI worked with victims to identify Hive s targets then entered Hive s systems after obtaining court orders and search warrants before eventual seizure of Hive s digital infrastructure 30 which its members used to communicate and carry out the attacks 31 In November 2022 Cybersecurity and Infrastructure Security Agency CISA issued a Cybersecurity Advisory detailing Hive ransomware mitigation methods noting that the group had since June 2021 then victimized over 1 300 companies globally and had acquired approximately US 100 million in ransom payments 32 Two months later when dismantled by law enforcement Hive had added 200 more companies as to victims in 80 countries 7 Defeat in cyberspace edit On January 26 2023 United States Attorney General Merrick Garland personally announced 4 5 that in concert with law enforcement from 13 countries 3 including Europol and German and Dutch police agencies Hive had been successfully infiltrated and dismantled through server seizures after having obtained over 1000 decryption keys 33 which the agency had provided to 336 victims prior to shuttering the Hive digital infrastructure The FBI investigation had uncovered two backend computer servers used by the group to store data in Los Angeles which were seized Deputy Attorney General Lisa Monaco explained the investigation as having legally hacked the hackers FBI director Christopher A Wray reported that only about 20 of American victim companies had reported the breaches No ransom proceeds were recovered and no arrests were made The investigation continues 2 4 5 31 33 The same day the US State Department issued notice of a US10 million bounty for information linking Hive ransomware to foreign governments under its Transnational Organized Crime Rewards Program TOCRP 9 2023 arrests edit As part of an Europol investigation on 21 November 2023 Ukraine authorities searched 30 objects in western Ukraine and apprehended 5 men including the alleged leader of the group a 32 year old They confiscated an unspecified amount of bitcoins equivalent to a six figure amount of euros from one of the suspects Europol stated that additional suspects were still under investigation 34 Attacks editMarch 2021 CNA Insurance edit CNA paid more than 40 million in late March to regain control of its network after a Hive ransomware attack The Chicago based company paid the hackers about two weeks after a trove of company data was stolen and CNA officials were locked out of their network 35 In 2022 it was reported to be the largest disclosed ransomware payment at that time 36 The insurer stated that its investigation concluded that the hackers responsible for the cyberattack were from a group called Phoenix They had used malware called Phoenix Locker a variation of the Hades ransomware used by Russian cybercriminal group Evil Corp 37 August 2021 Memorial Health System edit Memorial Healthcare System was forced to have its hospitals use paper records cancel procedures and refer patients to other non compromised facilities The organization paid ransom to Hive to regain access to its systems 16 April 2022 Microsoft Exchange servers edit Investigation by cybersecurity firm revealed in April 2022 that an affiliate of the Hive ransomware group was targeting Microsoft Exchange servers with vulnerability to ProxyShell security issues deploying a variety of backdoors such as Cobalt Strike beacon subsequently executing network reconnaissance to steal administrator account credentials exfiltrate valuable data and deploy the file encrypting payload 38 May 2022 Navarre public institutions edit Also in May 2022 Hive attacked the Community of Navarra Spain forcing a hundred institutions to use pen and paper while systems were recovered 39 40 May 2022 Bank of Zambia edit When Hive attacked the Bank of Zambia 41 in May 2022 it refused to pay the ransom stating that it had means to recover its systems and posted a link to a dick pic on the extortionists chat 42 41 43 May June 2022 Costa Rica edit Main article 2022 Costa Rican ransomware attack Conti announced that they would begin a shutdown process 11 days after the DOJ announced its two indictments of an active Conti operator and Russian national on May 16 2022 26 After the Conti digital infrastructure was reset on May 19 it became evident that Conti claiming a goal of overthrowing the government partnered with Hive to attack the Costa Rica public health service and Costa Rican Social Security Fund CCSS 11 On May 31 at about 2 00 am UTC 6 00 the Costa Rican Social Security Fund CCSS detected anomalous information flows in its systems and immediately proceeded to turn off all its critical systems including the Single Digital Health File Expediente Digital Unico en Salud EDUS and the Centralized Collection System Some printers in the institution printed messages with random codes or characters 44 while others printed default instructions from the Hive ransomware group on how to regain access to systems 45 During the attack it appeared that Hive alone was responsible for taking down 800 government run servers and thousands of user terminals 13 CCSS President Alvaro Ramos Chaves stated that databases with sensitive information were not compromised though at least 30 of the institution s 1 500 servers had been contaminated with ransomware 45 August 2022 Bell Technical Solutions edit Bell Canada telecommunications company subsidiary Bell Technical Solutions was attacked by Hive ransomware in August 2022 46 Hive leaked the company s stolen data 14 November 2022 Intersport edit Reported in December Swiss sporting goods maker Intersport with over 700 outlets was breached by Hive in November with details of the breach seen only on the dark web according to French language media outlet Numerama Hive demanded that the company pay an undisclosed amount the same day A sample file allegedly leaked on the dark web by Hive and scrutinized by Numerama contains passports payslips and other personal information regarding Intersport customers which is seen as common practice among ransomware gangs Typically the ransomware gang locks or encrypts all company data prior to threatening to publish it online if ransom demands are not met 47 See also editList of cyberattacksReferences edit Hive ransomware group claims to steal California health plan patient data VentureBeat March 29 2022 Archived from the original on May 31 2022 Retrieved June 15 2022 a b We Hacked the Hackers Hive Ransomware Seized in Global Sting Bloomberg com 2023 01 26 Retrieved 2023 06 21 a b Glover Claudia 2023 01 26 Hive ransomware gang s infrastructure taken down by the FBI and Europol Tech Monitor Retrieved 2023 06 21 a b c Menn Joseph Stein Perry Schaffer Aaron 2023 01 26 FBI shuts down ransomware gang that targeted schools and hospitals Washington Post ISSN 0190 8286 Retrieved 2023 06 21 a b c Mclaughlin Jenna January 26 2023 FBI says it hacked the hackers to shut down major ransomware group National Public Radio Retrieved June 21 2023 Office of Public Affairs U S Department of Justice Disrupts Hive Ransomware Variant United States Department of Justice www justice gov 2023 01 26 Retrieved 2023 06 21 a b Bushwick Sophie April 2023 FBI Takes Down Hive Criminal Ransomware Group Scientific American Retrieved 2023 06 21 US shuts down major ransomware network Hive www aljazeera com Retrieved 2023 06 21 a b US offers 10M bounty for Hive ransomware links to foreign governments BleepingComputer Retrieved 2023 06 21 a b Indicators of Compromise Associated with Hive Ransomware PDF August 25 2021 Archived PDF from the original on May 24 2022 Retrieved June 8 2023 a b c d e Conti Ransomware Operation Shut Down After Brand Becomes Toxic www securityweek com 23 May 2022 Archived from the original on June 8 2022 Retrieved June 15 2022 Shakir Umar 2023 01 27 FBI says it hacked the hackers of a ransomware service saving victims 130 million The Verge Retrieved 2023 06 21 a b c d Hive Ransomware Group claims responsibility for Tata Power Data Breach TimesNow 2022 10 25 Retrieved 2023 06 21 a b Singh Carly Page and Jagmeet 2022 10 25 Hive ransomware gang leaks data stolen during Tata Power cyberattack TechCrunch Retrieved 2023 08 03 FBI issues alert about Hive ransomware Healthcare IT News September 2 2021 Archived from the original on May 20 2022 Retrieved June 7 2022 a b FBI releases alert about Hive ransomware after attack on hospital system in Ohio and West Virginia ZDNET Retrieved 2023 06 21 a b c Researchers decrypt Hive ransomware recover up to 98 of files The Stack 2022 02 21 Retrieved 2023 06 21 Inside the Hive Group IB December 9 2021 Hive ransomware claims hundreds of victims in 6 month span TechTarget com Archived from the original on June 5 2022 Retrieved June 7 2022 Hive ransomware enters big league with hundreds breached in four months BleepingComputer Retrieved 2023 06 21 a b c d e Costa Rica s public health agency hit by Hive ransomware BleepingComputer Archived from the original on June 6 2022 Retrieved June 7 2022 a b FBI Hive ransomware extorted 100M from over 1 300 victims BleepingComputer Retrieved 2023 06 21 Conti ransomware shuts down operation rebrands into smaller units BleepingComputer Retrieved 2023 06 21 Did the Conti ransomware crew orchestrate its own demise ComputerWeekly com Archived from the original on May 30 2022 Retrieved June 7 2022 Hive Ransomware Shut Down by Law Enforcement Operation FBI in Possession of Decryption Keys Group s Public Facing Website CPO Magazine Retrieved June 4 2023 a b District of New Jersey Russian National Charged with Ransomware Attacks Against Critical Infrastructure United States Department of Justice www justice gov 2023 05 16 Retrieved 2023 06 21 Hive ransomware claims cyberattack on Bell Canada subsidiary BleepingComputer Retrieved 2023 06 21 Kim Giyoon Kim Soram Kang Soojin Kim Jongsung 2022 A Method for Decrypting Data Infected with Hive Ransomware arXiv 2202 08477 cs CR McKay Kendall Conti and Hive ransomware operations Leveraging victim chats for insights PDF Talos Intelligence Archived PDF from the original on May 31 2022 Retrieved June 8 2022 How the FBI prevented 130 million in crypto ransomware attacks by hacking the hackers behind Hive Fortune Crypto Retrieved 2023 05 22 a b Lowell Hugo 2023 01 26 US authorities seize servers for Hive ransomware group The Guardian ISSN 0261 3077 Retrieved 2023 06 21 StopRansomware Hive Ransomware CISA www cisa gov 2022 11 25 Retrieved 2023 06 21 a b US Europol seize Hive ransomware servers and leak sites We hacked the hackers SC Media 2023 01 26 Retrieved 2023 06 21 Ermittler nehmen mutmassliche Hacker in der Ukraine fest tagesschau de in German Retrieved 2023 11 28 Mehrotra Kartikay Turton William May 21 2021 CNA Financial Paid 40 Million in Ransom After March Cyberattack Bloomberg Businessweek Retrieved May 22 2021 Nir Kshetri Jeffrey Voas March 2022 Ransomware Pay to Play Computer 55 3 11 13 doi 10 1109 MC 2021 3126529 ISSN 0018 9162 Wikidata Q112073068 CNA pays 40 million ransom to lift malware from its systems www insurancebusinessmag com Retrieved 2023 06 21 Microsoft Exchange servers hacked to deploy Hive ransomware BleepingComputer Retrieved 2023 06 21 Otazu Amaia May 28 2022 Un ataque informatico devuelve a la era del papel a 179 entidades navarras El Pais in Spanish Archived from the original on June 5 2022 Retrieved June 7 2022 El culpable del hackeo a las webs municipales navarras es el ransomware Hive Pamplona Actual in Spanish 30 May 2022 Archived from the original on May 30 2022 Retrieved June 7 2022 a b Ransomware Attackers Get Short Shrift From Zambian Central Bank Bloomberg com May 18 2022 Retrieved June 7 2022 El Banco de Zambia responde con una fotopolla a la extorsion de los ciberdelincuentes que les atacaron derechodelared com in Spanish May 25 2022 Archived from the original on May 25 2022 Retrieved June 7 2022 National bank hit by ransomware trolls hackers with dick pics BleepingComputer Archived from the original on June 1 2022 Retrieved June 7 2022 FOTOS Y VIDEO Los extranos mensajes de las impresoras de la CCSS tras hackeo CRHoy com in Spanish Archived from the original on May 31 2022 Retrieved June 8 2022 a b Hive Ransomware Group el grupo de cibercriminales que ataco la CCSS y tiene predileccion por instituciones de salud delfino cr in Spanish Archived from the original on May 31 2022 Retrieved June 8 2022 Hive ransomware claims cyberattack on Bell Canada subsidiary BleepingComputer Retrieved 2023 07 29 Black Damien Dec 6 2022 Hive adds French sports firm to list of victims local media claims Cybernews Retrieved July 23 2023 Retrieved from https en wikipedia org w index php title Hive ransomware amp oldid 1218463233, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.