Ransomware experts laud Hive takedown but question impact without arrests

The Justice Department's splashy announcement of the takedown of the Hive ransomware group's infrastructure on Thursday was reminiscent of other recent high-profile operations against the scourge of ransomware.

But the details of the operation set it apart from other ransomware group takedowns in recent years. FBI Director Christopher Wray said agents with the bureau's Tampa Field Office gained “clandestine, persistent access” to the control panel used by Hive operators seven months ago, allowing them to identify victims and offer decryption keys to more than 1,300 of them around the world while preventing at least $130 million in ransom payments.

Still, one notable variable was missing from the Justice Department’s announcement: arrests. Europol said four experts were deployed to “coordinate the activities on the ground,” but no arrests have been announced in any of the 12 countries involved in the operation to take down Hive. 

Attorney General Merrick Garland declined to comment, noting that the investigation was ongoing. Wray attempted to frame the lack of arrests as part of an evolution in how the FBI is approaching ransomware investigations. 

“More and more I think you can expect to see … situations where impact is achieved by more than just arrests, where we’re doing things like getting keys to victims, taking down infrastructure and seizing cryptocurrency,” Wray said during a press conference Thursday.

ReliaQuest’s Mike McPherson — who led the Tampa Field Office as special agent in charge in 2021 when the Hive operation was first opened — told The Record that the lack of arrests did not detract from how noteworthy the operation was.

McPherson said the offensive actions of law enforcement made it “significant” and the capture of decryption keys a “major win for the good guys.”

“Turning the tables and hacking a ransomware group is not an activity that law enforcement normally undertakes,” he said. “Members of these criminal organizations will go to bed tonight with one eye open wondering if their networks have been penetrated and if there are agents waiting to arrest them if they dare to travel beyond their current safe havens.”

Echoes of the REvil takedown

Recorded Future ransomware expert Allan Liska said law enforcement took similar action against REvil last year after the group caused widespread damage with its attack on technology provider Kaseya. The Record is an editorially independent unit of Recorded Future.

In that operation, the FBI and an unnamed foreign government hacked the servers of REvil in the summer of 2021, hiding in its systems until U.S. Cyber Command blocked its website by hijacking its traffic. 

At the time, the FBI faced backlash for withholding the decryption keys for secondary victims of the Kaseya attack, which affected thousands of companies around the world. According to The Washington Post, the FBI did not want to tip off REvil operators by handing out the decryption keys.

Liska could not recall another instance where law enforcement had such a lengthy stretch of infiltration of a ransomware group as was described on Thursday. 

“The combination of extensive access and multiple law enforcement groups involved in this operation means that there has been a lot of intelligence sharing from the infrastructure infiltrated — and tracking down and arresting those outside of Russia is likely imminent,” Liska said. 

Liska said members of the group “should be shitting themselves right now” because there may be many other operations similar to this going on concurrently. 

“The law enforcement agencies may not be able to arrest you but they can find out a whole lot about you. Even in Russia,” he said.

Former FBI Cyber Division Special Agent Austin Berglas noted that with REvil, law enforcement agencies were able to dismantle the group and arrest numerous members after getting information “from a disgruntled internal REvil source.”

But Berglas, now global head of professional services at BlueVoyant, noted that the true dismantlement of a ransomware group like Hive “only comes after law enforcement can arrest the individuals responsible.” 

Cybercriminals are adept at anonymizing online communications, locations and infrastructure, and they largely operate in physical locations in the world where law enforcement cooperation is non-existent, Berglas said. 

“A very temporary decline in ransomware activity in the wake of the website seizure is possible, but a website seizure does not guarantee the group’s inactivity or that arrests will be made.”

Adam Flatley, vice president of intelligence at Redacted and a member of the U.S. Ransomware Task Force, said in most cases if law enforcement had the ability to arrest individuals in a criminal gang, they would have done so prior to conducting an infrastructure takedown, which would alert the criminal organization. 

The most likely scenario, according to Flatley, is that the group will suffer a short-term disruption in operations due to the loss of infrastructure, conduct an internal security review to assess damage and update security practices, “and then get back to business as soon as possible because there is just too much money to be made in ransomware extortion to sit idle for long.”

The FBI — through its Rewards for Justice program — issued a reward of up to $10 million for any information on the whereabouts of Hive actors. On Friday morning, Russian telecommunications regulator Roskomnadzor blocked access to the U.S. State Department’s Rewards for Justice website.

The group has targeted so many healthcare institutions – at least 28 organizations in 2021 alone – that the U.S. Department of Health and Human Services published a report on it in an effort to help hospitals facing attack. Hive forced a California healthcare facility to shut down last March and attacked Romania’s largest oil refinery proprietor in February

The FBI spotlighted the group in August 2021 after members ransomed dozens of healthcare organizations last year.

Hive’s future

Even when ransomware groups implode in this fashion, their members typically form or join different groups. 

The latest example is the Conti ransomware group, which launched several high-profile attacks on governments last year before imploding after a disgruntled member leaked internal communications. 

Former members are now suspected of spinning off into other groups like BlackBasta and BlackByte, Berglas said. 

“If history is any indication, a reform certainly is possible, but this is only the first step in the investigation. Identification and attribution of the actual group members can be a very technical, complex, and time-consuming process,” he said. 

Emsisoft ransomware expert Brett Callow said the raid “is almost certainly the end of the Hive brand” because affiliates and business partners will have lost confidence in the integrity of the operation.

But as with other operations, the people behind the ransomware strain will likely resume operations under a new brand name. That’s not to say that the FBI operation did not have value, Callow noted, explaining that any success in keeping millions of dollars out of the hands of cybercriminals is a positive development. 

Law enforcement may also have collected information that allows them to eventually identify the individuals involved and help disrupt parts of the ransomware supply chain, he added. 

Experts are fairly confident that the core group of Hive developers is based in Russia and likely will spin up another ransomware-as-a-service offering sooner or later. 

“But, the extensive access that law enforcement appears to have means that affiliates and contractors outside of Russia should lay very low, if they are smart (which they are often not),” Liska said. 

Unfortunately, the protection provided to groups like Hive in Russia makes it difficult for experts to expect any real consequences for its leaders. 

Former Obama administration cybersecurity official Tom Kellermann said the protection racket that exists between the cybercrime cartels and the Russian regime “endows them with untouchable status from Western law enforcement.”

“We must recognize that the majority of the proceeds from ransomware allow for Russia to offset economic sanctions,” said Kellermann, who is now a senior vice president at Contrast Security. 

Because the ransomware underground is highly centralized in Eastern Europe, a relatively small number of groups are responsible for a majority of attacks. 

The top-heavy nature of the ecosystem means that disruptive action like what was announced on Thursday has a significant impact overall, according to Abnormal Security’s Crane Hassold. 

He theorized that those involved may pivot to other brands of cybercriminal activity, including business email compromise. 

“Business email compromise is the most financially impactful cyberthreat today and, instead of using their initial access malware to gain a foothold on a company’s network, they could simply reconfigure the malware to establish access to employee mailboxes, which could lead to more scaled and sophisticated vendor email compromise attacks,” he said. 

Satnam Narang, senior research engineer at Tenable, said Hive affiliates are typically responsible for conducting most of the group’s attacks and can easily pivot to other affiliate programs of groups that remain operational.

Narang theorized that one ramification of the FBI operation may be ransomware groups lessening their reliance on leak sites as a way to stay under the radar. 

While Hive’s reputation may be damaged beyond repair, the operation is unlikely to put a significant dent in the proliferation of ransomware globally. 

“The takedown of the Hive network will not directly impact the numerous other criminal ransomware groups operating across the globe," McPherson said, "but it does send a strong message,”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
What is Threat Intelligence
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.