Justice Dept. Dismantles a Major Ransomware Operation
WASHINGTON — Federal investigators dismantled the computer networks of a cybercriminal organization that had demanded hundreds of millions of dollars in ransom from schools, hospitals and other critical infrastructure, the Justice Department said on Thursday.
In July, the F.B.I. and its counterparts in Germany, the Netherlands and the European law enforcement agency Europol gained covert access to the servers and websites run by the organization, Hive, considered one of the most active ransomware groups last year. Over the next few months, agents hid in the system, identified targets and repeatedly thwarted Hive’s attempts to extort over 300 victims, preventing them from having to pay $130 million in ransoms.
The effort was a “21st century cyber-stakeout,” Lisa O. Monaco, the deputy attorney general, said during a news conference on Thursday. “Simply put, using lawful means, we hacked the hackers.”
The operation against Hive is part of a larger effort by the department to combat ransomware, a global threat that has grown in recent years and one that the Biden administration has deemed a national security priority.
On Wednesday night, officials seized two back-end computer servers in Los Angeles used by Hive and dismantled its sites on the dark web, which allows users to hide their identities, Attorney General Merrick B. Garland said in the news conference. The department did not announce any arrests, but officials said the investigation was continuing.
“Cybercrime is a constantly evolving threat,” Mr. Garland said. “But as I have said before, the Justice Department will spare no resource to identify and bring to justice anyone, anywhere, who targets the United States with a ransomware attack.”
Since July 2021, Hive affiliates have operated a so-called double extortion scheme in which hackers encrypt the victims’ data, threaten to leak it online and demand a ransom payment, often worth millions of dollars, to return access and a promise to not publish the stolen information.
Through these attacks, the group successfully extorted over $100 million in payments and targeted over 1,500 schools, hospitals, companies and other institutions that officials have deemed critical infrastructure. Those include health care groups and school districts in the United States as well as major companies in Europe and Costa Rica’s public health system.
In one attack, on a hospital in the Midwest during the coronavirus pandemic in August 2021, Hive prevented the hospital from accepting new patients and from gaining access to its digital database of patient information, forcing hospital workers to rely on analog copies. The hospital recovered its data only after paying a ransom.
Only 20 percent of Hive’s victims reported potential issues to law enforcement, according to Christopher A. Wray, the F.B.I. director, who urged other victims of ransomware to speak up.