Knocking down Hive: How the FBI ran its own ransomware decryption operation
The FBI’s effort to take down one of the world’s most prolific ransomware gangs, Hive, earlier this year marked a departure for the bureau because it was particularly focused on the group’s victims. Deputy Attorney General Lisa Monaco told Click Here in an interview recently that the FBI and Justice Department had decided to put a newfound emphasis on victim recovery. “We need to take those steps that can help prevent the next victim,” she said. “And [we’re putting] victims at the center of our strategy.”
Nowhere was that more evident than in the takedown of Hive. The FBI sat in the group’s servers for some seven months, and while inside the bureau generated over 300 decryption keys and quietly gave them to victims so they could unlock their systems without paying a ransom. The FBI also provided another 1,000 keys to people who had been hacked by the group in the past, allowing them to recover some lost data.
According to the Justice Department, the decryption key operation — led by a team in Tampa, Florida — prevented some $130 million in ransom payments from reaching the gang’s cryptocurrency wallets. Click Here spoke with Bryan Smith, section chief for the FBI’s Cyber Criminal Operations Section, about that tactic and what it means for future operations. The interview has been edited for length and clarity.
CLICK HERE: So the Hive takedown didn’t just happen overnight. How long was the FBI actually lurking in Hive’s servers?
BRYAN SMITH: So we were in for about seven months, so late July of 2022 until we did the takedown in January of 2023.
CH: When the FBI first infiltrated Hive’s servers, what did it do there? What was its main objective?
BS: When we got into the system, we didn't know how long the Tampa team would have on the panel. While there was excitement when they actually got that access, there was no time to kind of enjoy that moment because we didn't know if that access would last for an hour or a day or a week. And so immediately the Tampa team jumped on generating the decryption keys for all the victims and getting those out. So when the days went on into weeks and then the weeks went on into months, it provided us a unique opportunity to continue to provide relief to victims.
CH: How did the FBI provide decryption keys to victims while ensuring the success of an ongoing covert operation?
BS: The criteria that we utilize for when we're going to make it public is based on a couple things. What's the impact on the investigation? Is this going to expose the fact that we're looking at the group and make it impossible for us to take action against the actors? What's the impact on the long-term pursuit of justice? So if I give out one decryption key, am I going to be able to actually get justice for the overall victims? And this is not a quadratic equation. Those are the criteria that we're looking at in these [cases].
CH: During the Hive investigation, the FBI did provide countless victims with decryptors. Can you tell me more about that?
BS: In this instance, we looked at it and we recognized that this was a unique opportunity that we had in order to make victims whole and prevent payments by them at such a scale that it outweighed any of those [other concerns].
And there has been a shift in our strategy on disruptions, in that we are looking to disrupt the adversary on an ongoing basis. And so what we've got to do is increase the cost for them to do this, to do their criminal activity. That involves disruptions along the way.
And one of the disruptions that we can utilize is decryption capabilities. If we could prevent them from getting revenue, it made it so that their business would not be a going concern. And it would also then benefit the victims out there. So we really have taken a victim-centric approach to how and when we push out the decryption.
CH: I want to take a step back to understand how the encryption and decryption actually worked for Hive. Can you walk me through the Hive business model?
BS: In the case of Hive, they use the double extortion model. So they would then take information off your network, extract it, and then they would drop their payload which would encrypt the files. It's called double extortion because they had two options to get money from you. One was the actual encryption to decrypt files and you would pay them. … The other way was that if, let's say, you had backups and you didn't need to decrypt your files, but you didn't want your data to be released on the internet, then an entity may pay just to get that data back. They say that they're gonna delete it, but that doesn't necessarily mean that happens.
CH: So to provide decryptors, the FBI essentially had to hack the hackers?
BS: Yes. So we essentially operated like an affiliate, and our team in Tampa, who ran this case, would generate those decryptors and then provide them to the victims.
CH: So you didn't pull it out of Hive.
BS: Correct. We created it. What the FBI team in Tampa did here was essentially the same model that the criminals utilized. We gained access to the network, looked around, saw what we could do with it, and then we operated as them. We created the decryption keys and got those to the victims. What's different is that we did that through lawful authorities given to us by a court.
CH: So because the FBI had access to the Hive server, they are able to generate decryption keys. But how do you get these keys out to so many victims? What does that side of the operation look like?
BS: There were victims in 48 different states and leads went out to provide those decryption keys to all of those victims. And so that's where we leveraged our field offices across the country. And then through our legal attachés, where we have FBI agents set in 72 different countries, we provided decryption keys for any of the victims in those foreign countries. The initial push was to get that out there so we could provide some relief as quickly as possible.
Then the second phase was the ongoing victims. So while we were on the system for those seven months, people continued to get encrypted and victimized by Hive. And in those cases, if they were encrypted, we would generate that decryptor and go and provide it to them.
And we were lucky enough that in a few circumstances we actually were able to provide notification before the encryption happened. That provided us an opportunity to then let the victim know the indicators of compromise so that they could then clean Hive off their network before they were even victimized.
CH: Do you know how much money in ransom payments the FBI prevented by providing decryption keys?
BS: We know that we prevented $130 million in ransom payments, but that's just based off the payments. But if you think about all the collateral damage that it causes when you get victimized by a ransomware group and you hire an outside incident response firm, an outside legal counsel — that amount can exceed that number quite a bit. And so we feel like that's a very conservative number as to what sort of relief we are able to provide.
CH: Were there any surprising lessons that came out of this investigation for you?
BS: I guess one of the things that we learned from this was that victim reporting is not what it needs to be. This was a unique insight that we had because we could see every single victim of Hive. And when we compared that list to who had reported ransomware events, only somewhere between 20% and 25% of the Hive victims had actually reported that they had been victimized. And that's problematic.
In this instance, we could see all the victims and we were proactively able to reach out to them and tell them that we had a decryptor. But other times we have a decryptor, but we don't know who the victims are. And so if the victim doesn't call, they don't know that they have this opportunity to get relief and not pay that ransom amount to the adversary.
In addition, the more victims that we have coming in, the more opportunities that we're able to then leverage to find instances where an adversary maybe makes some mistake. If their VPN drops and we get a true IP address and we get wallets that we can then look at the activity in the wallet and trace things back from it. But by getting those [data points] cumulatively, which comes from all victims reporting, it gives us a much better chance at having success.
CH: After spending seven months in the system, the FBI ultimately shut Hive down. What happens next?
BS: So what we did in this instance was take down the infrastructure that Hive leverages to produce their attacks. That’s a significant disruption to their operations. It was also significant because we were in their system for seven months. There's information that we obtained during those seven months, and so there's an ongoing investigation to target the group. And you can expect there'll be more to come.