FBI, Romanian police, international partners neutralize HIVE ransomware group
The Romanian police, along with DIICOT, Europol, German, Dutch, and United States authorities (including the FBI), contributed to neutralizing the HIVE ransomware group. The decryption keys were identified and made available to multiple victims, allowing them to regain access to their data without paying the attackers.
HIVE ransomware has been identified as a major threat in the past year, as it has been used to compromise and encrypt data and computer systems of large IT and multinational oil companies in the European Union and the United States. From June 2021 until now, the group's attacks have targeted over 1,500 companies in more than 80 countries.
Individuals affiliated with the group carried out the cyberattacks using HIVE software that was created, maintained, and updated by the group’s developers. They would copy and encrypt the data, then demand a ransom to decrypt the files and not publish the stolen data on a site for leaks. After the victims paid the ransom, the proceeds would be split between the affiliates, who kept 80%, and the developers, who received the remaining 20%, according to a Romanian police press release cited by Agerpres.
There have been other groups that have used the "ransomware as a service" method to carry out high-level cyber-attacks. Ransoms of millions of euros were demanded to decrypt the data of companies providing critical infrastructure. Government institutions, telecommunications companies, production companies, information technology companies, medical care services, and public health institutions were all targeted.
In one instance, HIVE affiliate members targeted a hospital handling COVID patients, forcing it to resort to traditional methods of treating existing patients and making it unable to take in new ones. Other HIVE members would obtain the personal data of the victims through the distribution of "phishing" emails, exploiting vulnerabilities in the operating systems of the devices targeted. The group has received USD 100 mln in ransom payments since June 2021.
To combat HIVE, judicial authorities provided companies with decryption keys so that they do not have to pay a ransom. Payments of over EUR 120 mln were prevented in this way.
In Romania, the HIVE ransomware group infected the IT infrastructure of several companies (medium and large) in different fields of activity, even in the category of essential services, disrupting the functioning of computer systems and the conduct of their activities.
Europol facilitated the exchange of information, supported the coordination of the operation, and financed the operational meetings in Portugal and the Netherlands. Europol also provided analytical assistance, collecting data on multiple criminal cases, both within the European Union and outside, and supported the investigation through cryptocurrency analysis, malware programs, and forensic analysis. The operation also benefited from the support of the Europol Cybercrime Working Group. This operational team is made up of liaison officers from multiple countries working on cases of large-scale computer crimes.
(Photo source: Motortion | Dreamstime.com)