Earlier today, the FBI seized the Hive ransomware gang’s dark web website as part of a “coordinated law enforcement action” alongside the Secret Service and other European enforcement agencies. This appears to be just the start of a coordinated crackdown on Hive’s criminal enterprise.
“Today’s announcement is only the beginning. We’ll continue gathering evidence, building out our map of Hive developers, administrators and affiliates, and using that knowledge to drive arrests, seizures and other operations,” said Christopher Wray, director of the FBI at a press conference in Washington, D.C.
While it is likely that Hive will resurface again, the removal of its website is a significant win for the FBI, particularly when considering that Hive has extorted over $100 million from more than 1,300 organizations globally.
From a broader perspective, the takedown also shows that international enforcement against ransomware threat actors is increasing, which will make it more difficult for these entities to target organizations in the future.
Event
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
The FBI strikes back against ransomware
The announcement comes just weeks after Royal Mail experienced a ransomware attack that disrupted the overseas delivery of parcels and letters. It also comes as the geopolitical tension surrounding the Russia-Ukraine war is intensifying, with the U.S. joining Germany in sending tanks to Ukraine.
“Today’s disruption of the Russian Hive ransomware infrastructure underscores the historic international cooperation between law enforcement agencies. The International Ransomware Taskforce is having an impact,” said Tom Kellermann, CISM, senior VP of cyberstrategy at Contrast Security.
However, Kellermann warns that there’s still more to be done to address the impunity of Russian state-backed cybergangs, who are free to engage in criminal activity internationally with little threat of prosecution.
“The real challenge lies in the protection racket that exists between the cybercrime cartels and the Russian regime, which endows them with untouchable status from western law enforcement. We must recognize that the majority of the proceeds from ransomware allow for Russia to offset economic sanctions.”
Breaking down the RaaS economy
When considering that only a handful of threat actors like Hive, Black Basta, and LockBit are responsible for the majority of the high-profile ransomware breaches, the FBI’s crackdown on Hive has the potential to significantly damage the ransomware-as-a-service (RaaS) economy by hampering one of the most prolific groups.
“Unlike some other cyberthreats, like business email compromise (BEC), the ransomware landscape is very centralized, meaning a relatively small number of groups are responsible for a majority of all the attacks,” said Crane Hassold, former FBI cyber psychological operations analyst and head of research at Abnormal Security.
“The silver lining to this top-heavy ecosystem is that disruptive actions against one of these primary groups, such as law enforcement takedowns, can have a significant impact on the overall landscape,” Hassold said.
In this sense, taking down Hive’s website has the potential to decrease the volume of ransomware over the short term.
The impact of disrupting Hive’s operations can’t be underestimated, particularly when considering the revenue generated by ransomware threat actors is already steadily decreasing, dropping from $765.6 million in 2021, to $456.8 million in 2022. Staggering one of the most prolific actors in the space will work to bring this total down even further.
Why cyber resilience is still key
Although this is positive news for U.S. organizations, having Hive still on the loose and ransomware attacks remaining as one of the most lucrative forms of cybercrime, organizations can’t afford to stop investing in cyber resilience against these types of attacks.
“Disrupting Hive is no doubt a victory, but the war is far from over,” said Kev Breen, director of cyber threat research at Immersive Labs. “While this action will have a short-term effect on the proliferation of ransomware, Hive operates under a ransomware-as-a-service (RaaS) model, meaning they use affiliates that are responsible for gaining the initial foothold and then dropping the ransomware payload.
“With the proverbial head of this snake cut off, those affiliates will turn to other ransomware operators and pick up where they left off,” Breen said.
In response, Breen argues that organizations should continue to build long-term cyber resilience, while cyber leaders must take action to ensure users have the capabilities and judgment to respond to attacks.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.
