Pierluigi Paganini
January 26, 2023
The Tor leak site used by Hive ransomware operators has been seized as part of an international operation conducted by law enforcement in 10 countries.
“The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Hive Ransomware.” reads the message displayed in English and Russian on the Hive ransomware website.
Law enforcement also informs visitors that the action has been taken in coordination with the US authorities in Florida and Europol.
At the time of this writing the law enforcement agencies involved in the operation have yet to publish an official statement on the seizure.
The threat actors behind the Hive ransomware-as-a-service (RaaS) have extorted $100 million in ransom payments from over 1,300 companies worldwide as of November 2022, reported the U.S. cybersecurity and intelligence authorities.
As of November 2022, Hive ransomware actors have victimized over 1,300 companies worldwide, receiving approximately US$100 million in ransom payments” reads the alert published by CISA in November.
The authorities reported that from June 2021 through at least November 2022, threat actors targeted a wide range of businesses and critical infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health (HPH).
The Hive ransomware operation has been active since June 2021, it provides Ransomware-as-a-Service Hive and adopts a double-extortion model threatening to publish data stolen from the victims on their leak site (HiveLeaks). In April 2021, the Federal Bureau of Investigation (FBI) released a flash alert on the Hive operation attacks that includes technical details and indicators of compromise associated with the operations of the gang. According to a report published by blockchain analytics company Chainalysis, the Hive ransomware is one of the top 10 ransomware strains by revenue in 2021. The group used various attack methods, including malspam campaigns, vulnerable RDP servers, and compromised VPN credentials.
In June, the Microsoft Threat Intelligence Center (MSTIC) researchers discovered the new variant, while analyzing a new technique used by the ransomware for dropping .key files.
The main difference between the new variant of the Hive malware is related to the programming language used by the operators. The old variants were written in the Go language, while the new Hive variant is written in Rust.
Update: Europol confirmed the operation.
“Europol supported German, Dutch and US authorities to shut down the servers and provide decryption tools to victims.” reads the announcement published by Europol.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, ransomware)
[adrotate banner=”5″]
[adrotate banner=”13″]
