Yesterday saw the final step in a long campaign by global law-enforcement agencies to take down a RaaS (Ransomware as a Service) network called Hive.
Operation Dawnbreaker
Europol (The European Union Agency for Law Enforcement Cooperation) said that thirteen nations were involved in the complex case which saw multiple servers taken offline all across the world.
The countries / agencies involved in the operation were:
- Canada – Royal Canadian Mounted Police (RCMP) & Peel Regional Police
- France: National Police (Police Nationale)
- Germany: Federal Criminal Police Office (Bundeskriminalamt) and Police Headquarters Reutlingen – CID Esslingen (Polizei BW)
- Ireland: National Police (An Garda Síochána)
- Lithuania: Criminal Police Bureau (Kriminalinės Policijos Biuras)
- Netherlands – National Police (Politie)
- Norway: National Police (Politiet)
- Portugal: Judicial Police (Polícia Judiciária)
- Romania: Romanian Police (Poliția Română – DCCO)
- Spain: Spanish Police (Policía Nacional)
- Sweden: Swedish Police (Polisen)
- United Kingdom – National Crime Agency
- USA – United States Secret Service, Federal Bureau of Investigation
What was hive?
Hive was a ransomware-as-a-service (RaaS) model featuring administrators and affiliates.
RaaS is a subscription-based model where the administrators develop a ransomware strain and create an easy-to-use interface with which to operate it and then recruit affiliates to deploy the ransomware against victims.
Affiliates identified targets and deployed this ready made malicious software to attack victims and then earned a percentage of each successful ransom payment.
Hive members employed a double-extortion model of attack whereby, before encrypting the victim system, the affiliate would steal sensitive data and then request a ransom for both the decryption key necessary to decrypt the victim’s system and a promise to not publish the stolen data.
Hive affiliates frequently targeted the most sensitive data in a victim’s system to increase the pressure to pay.
Once a victim paid the ransom, the affiliates and administrators split the ransom 80/20.
Hive gangs published the data of victims who do not pay on a Hive Leak Site.
No honour among thieves
Whilst not always the case, many ransomware gangs tend to stay away from certain targets such as hospitals, but not hive – they regularly targeted schools and hospitals, often putting delivery of care at risk.
Infiltrating the hive
Since the summer of 2022, the FBI and other law enforcement agencies have been working against the Hive network, silently infiltrating their online systems.
This allowed the enforcement teams to obtain decryption keys and recover paid ransoms.
“Last July, FBI Tampa gained clandestine, persistent access to Hive’s control panel. Since then, for the past seven months, we’ve been able to exploit that access to help victims while keeping Hive in the dark, using that access to identify Hive’s victims and to offer over 1,300 victims around the world keys to decrypt their infected networks, preventing at least $130 million in ransom payments, cutting off the gas that was fueling Hive’s fire.”
FBI Director Christopher Wray
Hive was a Russophone group, based mainly in Russia, and whilst Hive wasn’t an arm of the Russian government, it was at the very least tolerated and enabled by those official entities. It effectively operated as a privateer organisation, taking prizes belonging to countries that were not friendly to Russia.