Ransomware attacks, in which hackers encrypt a computer system and then extort victims to pay up or risk losing access to their data, have harmed targets ranging from individuals to powerful entities. Victims have included large companies such as the meat supplier JBS, major infrastructure such as the Colonial Pipeline and entire countries such as Costa Rica. Last week the Department of Justice announced some rare good news about this criminal industry: The FBI infiltrated a major ransomware group called Hive and obtained its decryption keys. These keys let the ransomware victims recover their data without paying the demanded fee. The FBI’s work helped affected parties avoid paying $130 million. Afterward American law enforcement worked with international partners to seize Hive’s servers and take down its website.
According to the official DOJ announcement, Hive has been a major player in the ransomware space since June 2021, attacking more than 1,500 victims in more than 80 countries and extorting more than $100 million. “I would say that’s up there with the largest ransomware groups that we’ve got data on, in terms of how many organizations have been impacted and how much money is being paid out,” says Josephine Wolff, an associate professor of cybersecurity policy at Tufts University. Scientific American spoke with Wolff about how the FBI took down Hive and how much of an impact this law-enforcement operation will have on other ransomware criminals.
[An edited transcript of the interview follows.]
What action did the FBI take against Hive?
There are two parts of this, both of which are really interesting. The first thing that law enforcement did is it actually infiltrated their internal communications for a period of several months—we think going back to [last] summer, based on what the Justice Department has said. And because [law enforcement was] inside their computers and able to see who they had infected and, more importantly, what the decryption keys were to undo that ransomware, the Justice Department has said [it was] able to help lots of victims who had been targeted and actually unencrypt their systems by essentially stealing those decryption keys from the Hive servers, without Hive’s knowledge of what was going on. So, for months, you had an undercover presence in those servers of law enforcement, taking decryption keys and giving them to victims so that they can recover their computers.
The second part of that, which is what just happened, is the takedown. And that’s where the Justice Department actually goes in and seizes servers and removes [Hive’s] website. For that part, I think it’s harder to know what the long-term impacts will be because servers and websites are replaceable. So it’s a good disruption, but it’s not necessarily equivalent to saying, “These people will never be able to distribute ransomware again.” And my guess would be—and here I’m just speculating—that the reason the takedown happened is because the law enforcement presence in [Hive’s] system had been detected. Because otherwise, I think you would try to maintain that presence as long as you reasonably could.
Is the FBI likely to continue putting together operations like this that involve embedding agents in the systems of criminal organizations for months?
Honestly, I hope so. I think it’s a tricky thing to do in a lot of cases because many cybercriminal organizations, for obvious reasons, are fairly cautious about who has access to their servers. My guess is that this is a little bit of an anomaly, finding one that was poorly protected enough. And perhaps [that is] also tied to the fact that [Hive is] a “ransomware as a service” organization: you see them renting out their malware to a bunch of other bad actors and therefore being used quite widely by a whole bunch of different entities in this space. And therefore they have a lot of dealings with people who are not internal known members of their own organization but are customers buying their services. Perhaps that made it a little bit easier to introduce new people to the organization and the systems. Certainly, I think this is something that law enforcement will continue trying to do. I hope it’ll be successful.
Will Hive’s downfall deter other ransomware groups?
I think that that depends a little bit on some of the next steps—nobody’s been arrested yet. I think this is not a story that’s necessarily going to make cybercriminals run in fear. My guess is that some of the larger organizations are going to be sweeping their own systems and looking for any signs of a similar presence that they should pay attention to. I don’t know that it’s going to make anybody tone down their ransomware operations, partly because I think there’s less attention to that and less fear of that for cybercriminals who operate overseas. But it’s certainly going to give people some nervousness about the possibility of their own systems being infiltrated in this manner.
What else have these groups been up to lately? What’s the current state of the ransomware world?
We continue to see these fairly significant, really impactful ransomware attacks on health care institutions, at local and national government levels, at private institutions. In general, my sense, certainly from insurers, has been that the rate of ransomware has slowed a little bit in the past six months to a year—that it’s not as frequent or as common as it was perhaps in 2020, 2021, at the moment when it was doing the most damage and causing the greatest number of claims. But that’s certainly not to say it’s gone away.
Why is that slowdown happening?
There are different ideas about that. I think many of the insurers would say, “We’ve gotten better at requiring policyholders to take certain measures to protect themselves”—the most straightforward of which is creating backups, requiring that everybody be able to reboot their systems if everything gets encrypted. And they think that has helped reduce, at least, the number of claims and the amount of damages caused by ransomware attacks. There’s also some extent to which the war in Ukraine throws the ransomware industry into some amount of disarray. There’s a set of ransomware groups and cybercrime organizations that have people working in Ukraine, often leaders based in Russia, who are starting to leak information about each other and undermine each other’s efforts from within.
And then the other piece of it is pretty aggressive policing in the U.S. but also in Europe: trying to catch people, do takedowns and make ransomware a less lucrative crime. Some of that also centers on regulation of the cryptocurrency industry: trying to sanction certain cryptocurrency exchanges that criminals are using to process these payments. Cryptocurrency intermediaries facilitate currency payments at scale and across national borders, which is so essential for this to be a profitable business. Another piece of this that the U.S. government definitely is pursuing is the international partnership piece. Most of these criminals are based not in the U.S. or other countries where most of the victims are located. [Taking them down] actually requires very active collaboration with law enforcement overseas.
Are cybercriminals changing up their tactics to counter the more robust response from law enforcement?
One piece we haven’t touched on a lot is the question of what happens when ransomware operators don’t just encrypt a victim’s system but also steal copies of all their data and then threaten, “If you don’t pay a ransom, I’m going to leak all of your data online.” And that’s a thing that’s been growing in frequency for the past couple of years. It’s particularly problematic when you think about solutions we’ve seen, where the hope is “if we provide the decryption key, then people won’t pay the ransom.” If there’s a stolen copy that’s being held over a victim’s head, that’s a less effective mitigation.
Have we learned anything else from Hive’s takedown?
In the Department of Justice announcement, they said that when they were inside the Hive servers, they could see who was being targeted. But they were only getting reports from about 20 percent of those victims. This gives us one data point for what percent of ransomware attacks are actually being directly reported to the FBI versus the ones [for which] the FBI had to proactively reach out and say, “Hey, we see that it looks like this ransomware group may have impacted you. We think we can help.” [Twenty percent is] a pretty low number in terms of trying to understand the scale of this problem beyond what people voluntarily report.