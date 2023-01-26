The Hardest-Working Paper in America | 
Thursday, January 26, 2023
Washington News Metro/State

U.S. infiltrates big ransomware gang: ‘We hacked the hackers’

U.S. officials and foreign partners said the targeted syndicate, known as Hive, is among the world’s top five ransomware networks and has heavily targeted health care.

By  Eric Tucker | Associated Press and Frank Bajak | Associated Press
   
SHARE U.S. infiltrates big ransomware gang: ‘We hacked the hackers’
Deputy Attorney General Lisa Monaco, flanked by Attorney General Merrick Garland, left, and FBI Director Christopher Wray, announces the results of a coordinated effort to infiltrate and disrupt a ransomware syndicate known as Hive. No arrests have been made, but authorities say the investigation is continuing.

AP Photos

WASHINGTON — The FBI and international partners have at least temporarily disrupted the network of a prolific ransomware gang they infiltrated last year, saving victims, including hospitals and school districts, a potential $130 million in ransom payments, Attorney General Merrick Garland and other U.S. officials announced Thursday.

“Simply put, using lawful means we hacked the hackers,” Deputy Attorney General Lisa Monaco said at a news conference.

Officials said the targeted syndicate, known as Hive, is among the world’s top five ransomware networks and has heavily targeted health care. The FBI quietly accessed its control panel in July and was able to obtain software keys it used with German and other partners to decrypt networks of about 1,300 victims globally, FBI Director Christopher Wray said.

How the takedown will affect Hive’s long-term operations is unclear. Officials announced no arrests but said, to pursue prosecutions, they were building a map of the administrators who manage the software and the affiliates who infect targets and negotiate with victims.

“I think anyone involved with Hive should be concerned because this investigation is ongoing,” Wray said.

On Wednesday night, FBI agents seized computer servers in Los Angeles used to support the network. Two Hive dark web sites were seized: one used for leaking data of non-paying victims, the other for negotiating extortion payments.

“Cybercrime is a constantly evolving threat, but as I have said before, the Justice Department will spare no resource to bring to justice anyone anywhere that targets the United States with a ransomware attack,” Garland said.

He said the infiltration, led by the FBI’s Tampa office, allowed agents in one instance to disrupt a Hive attack against a Texas school district, stopping it from making a $5 million payment.

Ransomware is the world’s biggest cybercrime headache.

The criminals lock up, or encrypt, victims’ networks, steal sensitive data and demand large sums. Their extortion has evolve to where data is pilfered before ransomware is activated, then effectively held hostage. Pay up in cryptocurrency or it is released publicly.

As an example of a Hive sting, Garland said it kept one Midwestern hospital in 2021 from accepting new patients at the height of the COVID-19 pandemic.

The online takedown notice, alternating in English and Russian, mentions Europol and German law enforcement partners. The German news agency dpa quoted prosecutors in Stuttgart as saying cyber specialists in the southwestern town of Esslingen were decisive in penetrating Hive’s criminal IT infrastructure after a local company was victimized.

In a statement, Europol said companies in more than 80 countries, including oil multinationals, have been compromised by Hive and that law enforcement from 13 countries was in on the infiltration.

A U.S. government advisorylast year said Hive ransomware actors victimized more than 1,300 companies worldwide from June 2021 through November 2022, netting about $100 million in payments. Criminals using Hive’s ransomware-as-a-service tools targeted a wide range of businesses and critical infrastructure, including government, manufacturing and especially health care.

Though the FBI offered decryption keys to some 1,300 victims globally, Wray said only about 20% reported potential issues to law enforcement.

“Here, fortunately, we were still able to identify and help many victims who didn’t report. But that is not always the case,” Wray said. “When victims report attacks to us, we can help them and others, too.”

Victims sometimes quietly pay ransoms without notifying authorities — even if they’ve quickly restored networks — because the data stolen from them could be extremely damaging to them if leaked online. Identity theft is among the risks.

John Hultquist, the head of threat intelligence at the cybersecurity firm Mandiant, said the Hive disruption won’t cause a major drop in overall ransomware activity but is nonetheless “a blow to a dangerous group.”

“Unfortunately, the criminal marketplace at the heart of the ransomware problem ensures a Hive competitor will be standing by to offer a similar service in their absence, but they may think twice before allowing their ransomware to be used to target hospitals,” Hultquist said.

But analyst Brett Callow with the cybersecurity firm Emsisoft said the operation is apt to lessen ransomware crooks’ confidence in what has been a very high reward-low risk business. “The information collected may point to affiliates, launderers and others involved in the ransomware supply chain.”

Allan Liska, an analyst with Recorded Future, another cybersecurity outfit, predicted indictments, if not actual arrests, in the next few months.

There are few positive indicators in the global fight against ransomware, but here’s one: An analysis of cryptocurrency transactions by the firm Chainalysis found ransomware extortion payments were down last year. It tracked payments of at least $456.8 million, down from $765.6 million in 2021. Though Chainalysis said the true totals are certainly much higher, payments were clearly down. That suggests more victims are refusing to pay.

The Biden administration got serious about ransomware at its highest levels two years ago after a series of high-profile attacks threatened critical infrastructure and global industry. In May 2021, for instance, hackers targeted the nation’s largest fuel pipeline, causing the operators to briefly shut it down and make a multimillion-dollar ransom payment, which the U.S. government later largely recovered.

Next Up In Washington
Pritzker: Don’t change high school AP course to appease DeSantis and ‘Florida’s racist and homophobic laws’
U.S. investigating December flight cancellations at Southwest Airlines
Donald Trump is reinstated to Facebook after 2-year ban
Bringing in the big guns? NRA, lawyers who helped win U.S. Supreme Court case train sights on Illinois’ assault weapons ban
Signed, sealed, delivered: Postal Service raises Forever stamp prices to 63 cents
New House Democratic leader Hakeem Jeffries hits Chicago Sunday
The Latest
Screen_Shot_2022_08_26_at_5.31.26_PM.png
Crime
93-year-old woman killed by hit-and-run driver in Austin
A woman crossing the street in the 300 block of South Laramie Avenue was struck by a vehicle. The driver fled the scene, police said.
By Sun-Times Wire
 
Shelby County District Attorney Steve Mulroy answers questions during a press conference on Thursday, Jan. 26, 2023, after five fired Memphis Police Officers were charged in the murder of Black motorist Tyre Nichols.
Nation/World
District attorney says 5 Memphis officers are ‘all responsible’ for Tyre Nichols’ death
Five Memphis police officers are accused of beating motorist Tyre Nichols during a traffic stop Jan. 7. Nichols later died. The officers, who are all black, have been fired.
By Adrian Sainz | Associated Press and Rebecca Reynolds
 
Pedestrians cross Ontario Street along Chicago’s “Magnificent Mile” in 2021. Retail vacancies on Michigan Avenue stood at more than 30% at the end of 2022, according to data compiled by Cushman &amp; Wakefield, a Chicago-based commercial real estate services firm.&nbsp;
Elections
Chicago’s economy socked with one-two punch of COVID, crime: Here’s how mayoral candidates plan to keep it off the ropes
Mayor Lori Lightfoot describes herself as a “pro-Chicago business” mayor. But on her watch, Boeing and Citadel have left town. On the plus side, Chicago remains a hub for tech start-ups. As Lightfoot seeks reelection, she and her rivals disagree how to revive the economy and restore downtown.
By Dave McKinney | WBEZ Chicago and Tessa Weinberg | WBEZ
 
Dirksen Federal Courthouse, 219 S. Dearborn St.
Son of ex-state Rep. ‘Eddie’ Acevedo goes on trial, fights tax charges tied to Madigan probe
Alex Acevedo, his brother Michael Acevedo and their father were each charged with cheating on their taxes in separate indictments handed down in February 2021. Edward Acevedo pleaded guilty in December 2021 to tax evasion, was sentenced to six months behind bars and was released last month.
By Jon Seidel
 
The reproduction of Nolan Sprengeler’s Minnesota-record muskie at the Chicagoland Fishing, Travel &amp; Outdoor Expo. Credit: Dale Bowman
Sports
Snapshots from opening day at the Chicagoland Fishing, Travel & Outdoor Expo
Some snapshots from opening day at the Chicagoland Fishing, Travel & Outdoor Expo, which runs through Sunday at the Schaumburg Convention Center.
By Dale Bowman
 