Justice Department Disrupts Group Behind Thousands of Ransomware Attacks

Garland, at a news conference in Washington, said Hive was behind attacks over the past two years on a Midwestern hospital, which was forced to stop accepting new patients and pay a ransom to decrypt health data. While Garland did not name the hospital, the Memorial Health System in West Virginia and Ohio was attacked by Hive affiliates at the same time. The hive was also linked to an attack last year on the Costa Rican Public Health Service.

Hive is known to attack healthcare organizations, the Department of Justice, the Cybersecurity and Infrastructure Security Agency, and the Department of Health and Human Services. launched a joint alert last year warning of additional Hive attacks on healthcare and public health groups.

Garland said the Justice Department has helped about 300 victims worldwide since July and stopped paying about $130 million to Hive.

“Cybercrime is an ever-evolving threat, but as I have said before, the Department of Justice will spare no resources in identifying and bringing to justice anyone, anywhere, who targets the United States with an attack. ransomware,” Garland said.

FBI Director Christopher Wray said the “disruption campaign” against Hive had taken place over the past year and a half and involved FBI personnel accessing Hive control panels in order to give victims keys to unlock their encrypted systems. Wray urged victims of cyberattacks to come forward and notify law enforcement, noting that only about 20% of Hive victims have done so.

“A reminder to cybercriminals: Wherever you are and no matter how hard you twist and turn to cover your tracks, your infrastructure, your criminal associates, your money and your freedom are all at risk, and there will have consequences,” Wray told reporters.

Hackers linked to some ransomware attacks have often been based outside of Russia, including the hackers behind the 2021 attack on Colonial Pipeline, which temporarily crippled gas supplies to the East Coast.. While the Biden administration opened talks with Moscow in 2021 on cracking down on Russian-based cybercriminals, those talks fell apart in the wake of Russia’s invasion of Ukraine last year.

When asked if Hive’s cybercriminals were based in Russia, Garland declined to answer, noting that “we are in the midst of an ongoing investigation.”

While taking down Hive’s operations is a victory for the Department of Justice – which launched a ransomware task force in 2021 to better prioritize the investigation and bringing to justice of ransomware cybercriminals – at least one expert is skeptical. about its long-term impact.

“Disrupting the Hive service will not result in a significant drop in overall ransomware activity, but it is a blow to a dangerous group that has put lives at risk by attacking the healthcare system,” said John Hultquist, head of Mandiant Threat Intelligence at Google Cloud, said Thursday. He noted that a new competitor will likely be “on hold” to take Hive’s place.

“Actions like this add friction to ransomware operations. Hive may need to regroup, retool, and even rebrand,” Hultquist said. “When arrests are not possible, we will have to focus on tactical solutions and better defense. Until we can tackle the Russian haven and resilient cybercrime market, we will have to focus on that.