How Offensive Action is Countering Ransomware
Feb 21, 2023
Ransomware attacks have crossed a red line for many countries with continued merciless attacks. The threat to national economies and critical infrastructure marked a turning point. Governments are fighting back, and one of the strategies now routinely employed is infiltrating the servers and infrastructure of ransomware gangs. A recent offensive action against a top ransomware gang shows it can be a powerful tool both to rattle ransomware groups and provide real-time help to victims.
The latest occurred last month. Top U.S. prosecutors revealed Jan. 26, 2023, a law enforcement operation involving 13 countries that infiltrated the Hive ransomware group’s infrastructure starting in July 2022. As a top U.S. law enforcement official characterized it: “Simply put, using lawful means, we hacked the hackers.” Hive was one of the most prolific ransomware-as-a-service (RaaS) groups, with affiliates using its ransomware to execute attacks and extort more than 1,500 victims. For seven months, investigators had “clandestine, persistent” access to Hive’s control panel and database. That enabled investigators to swipe decryption keys without Hive’s knowledge and distribute those keys to 336 victims actively under attack. More than 1,000 decryption keys were provided to previous Hive victims, and authorities estimated the action meant US $130 million was not paid to the gang. What does this mean for the Hive gang, and what influence will this action have with respect to the broader ransomware environment?
Hive Was Stung
Hive’s Tor sites and associated infrastructure were shut down, which means if the group wants to continue, it will have to start anew. That’s risky. Just a day after the announcement from the U.S. Justice Department and Europol, several personas associated with Hive deactivated their profiles on three cybercrime forums. The FBI seized communication records, malware file hashes and information on 250 Hive affiliates. It is unlikely affiliates would work with a gang that was so thoroughly compromised. Other ransomware groups have seen similar types of disruption through leaks, offensive action or cryptocurrency tracing, such as:
REvil: One of the group’s affiliates attacked dozens of managed service providers (MSPs) and their customers with ransomware in July 2021 after exploiting zero-day vulnerabilities in Kaseya’s VSA remote management software. Law enforcement, however, was already inside REvil’s systems and recovered a universal decryption key. In October 2021, the group was forced offline, including its “Happy Blog” data leak site.
Conti: In late February 2021, one of the most prolific ransomware gangs saw more than a year of Jabber chat logs released by a Twitter user going by the handle @TrickbotLeaks. The chat logs revealed how Conti was organized, including detailed information about the gang’s financial and human resources (HR) departments.
DarkSide: This group was responsible for the ransomware attack against the energy company Colonial Pipeline in May 2021. Law enforcement recovered US $2.3 million in bitcoin, which was part of the ransom paid by the company. Shortly after the attack, the group said it was under pressure and eventually shut down.
Ransomware groups that disband and slink into the darkness often rebrand or regroup with other gangs. We believe it is highly likely if Hive’s RaaS program does not resume operation, its affiliates will join other RaaS programs, such as the LockBit, AvosLocker and Royal operations. In fact, several representatives of other ransomware gangs have already been encouraging Hive affiliates to join their groups.
Offense in Action
The FBI obtained a search warrant to obtain data from servers that had been leased by Hive at a hosting facility in Los Angeles, California. Investigators linked three email addresses belonging to Hive’s operators to the servers. Investigators somehow uncovered those servers’ real IP addresses despite Hive utilizing Tor’s “hidden” sites feature. Tor’s hidden service feature allows a website’s real domain to be replaced with a “.onion” domain, and its true IP address is masked. It’s difficult to uncover a site’s real IP address if it uses Tor. It’s unclear what mistakes Hive’s operators made that allowed the real IP address to be discovered, but it enabled investigators to collect more data about the group.
From a disruption perspective, the operation is a success. Will it prove to be a deterrent? Deterrence in cyber is a hopeful yet tricky goal. In the near term, it may serve as a reminder to cybercriminals that authorities are highly focused on ransomware. Ransomware operators are also likely to take a close look at their operational security (OSPEC) to prevent embarrassing infiltrations and also improve their tactics, techniques and procedures (TTPs).
No Hive members were arrested. However, ransomware actors are occasionally apprehended, but most of the prolific offenders are suspected to be in jurisdictions that will not extradite. Identifying perpetrators is also difficult. U.S. prosecutors have named alleged ransomware perpetrators before, such as in the ransomware attacks against businesses and government entities in Texas, U.S., and Kaseya. With Hive, it appears investigators may not have that level of detail yet: the State Department has offered up to US $10 million for information leading to arrests.
Victims: Ask for Help
The Hive operation should send a clear message to future ransomware victims to contact law enforcement. Unfortunately, ransomware victims have been reluctant to do that because they fear attention will be drawn to their already-stressful plight. In announcing the Hive operation, FBI Director Christopher Wray noted that only 20% of Hive’s victims reported the incidents to law enforcement. The Hive operation is an excellent example of why that thinking should be reconsidered. Some Hive victims received decryption keys within hours of attacks, a remarkable outcome and one that shows relief may be available. National cybersecurity and law enforcement agencies will know if keys or other help is available, but victims have to overcome their reluctance to contact authorities. The Hive operation shows that law enforcement is willing to channel help to victims as an investigation and offensive action are ongoing.
Hive and its affiliates was one of the most active groups throughout 2022, so its demise will cause a reshuffling. We would expect a short-term dip in overall attacks. But since there have been no arrests, the main actors could get back in business. Combating ransomware is an unending battle as the threat actors behind these groups will simply rebrand and start anew under different group names.
More broadly, there are some signs on the horizon that point to increasing difficulties for ransomware actors. Intel 471 is seeing fewer ransomware victims enter into chat negotiation portals. This observation aligns with data collected by Coveware, which specializes in ransomware negotiations, and Chainalysis, both of which recently published research heralding a sharp drop in ransoms paid.
Those firms’ findings are a sign of two trends. First, victims may have backups to restore operations and not have to consider buying a decryption key. This has always been the best strategy: raising the base level of cybersecurity preparedness, eliminating low-hanging fruit for attackers and having a well-practiced disaster recovery plan and backups.
Second, “double extortion” may not be a viable strategy as it once was for ransomware attackers. Hive and other ransomware groups exfiltrate data prior to encrypting the files. The data is then used as a lever: if an organization doesn’t pay for a decryption key, the threat of releasing the data publicly is used to pressure the victim to pay. But whether an organization pays or not, it has still experienced a data breach, and all of the regulatory obligations still apply.
Ransomware actors promise to delete the data after the ransom is paid. But victims can’t trust cybercriminals to do so since there’s no realistic way to verify it has been deleted. In one instance, Intel 471 analysts observed a threat actor make a long video that purportedly showed stolen data being deleted after a ransom was paid in an effort to convince the organization that the data had not been retained.
These are all encouraging indications that anti-ransomware efforts are beginning to exert pressure on ransomware actors. We don’t expect ransomware to significantly abate in 2023, but the signs point to a more constrained operating environment for threat actors.