International operation taking down ransomware servers
An international operation with authorities from 13 countries has shut ransomware HIVE servers and shared decryption keys with victims, helping them regain access to their data without paying the cybercriminals, Europol has announced.
“In the last year, HIVE ransomware has been identified as a major threat as it has been used to compromise and encrypt the data and computer systems of large IT and oil multinationals in the EU and the USA.”
Europol says that since June 2021, over 1 500 companies from over 80 countries worldwide have been victims to HIVE associates and lost almost EUR 100 million in ransom payments.
“Affiliates executed the cyberattacks, but the HIVE ransomware was created, maintained and updated by developers.”
“Affiliates used the double extortion model of ‘ransomware-as-a-service’; first, they copied data and then encrypted the files. Then, they asked for a ransom to both decrypt the files and to not publish the stolen data on the Hive Leak Site.”
When the victims paid, the ransom was split between affiliates (who received 80 %) and developers (who received 20 %), according to Europol data.
“Other dangerous ransomware groups have also used this so-called ransomware-as-a-service (RaaS) model to perpetrate high-level attacks in the last few years. This has included asking for millions of euros in ransoms to decrypt affected systems, often in companies maintaining critical infrastructures”, Europol says.
“Since June 2021, criminals have used HIVE ransomware to target a wide range of businesses and critical infrastructure sectors, including government facilities, telecommunication companies, manufacturing, information technology, and healthcare and public health. In one major attack, HIVE affiliates targeted a hospital, which led to severe repercussions about how the hospital could deal with the COVID-19 pandemic.”
Europol says the affiliates attacked companies in different ways. Some HIVE actors gained access to victim’s networks by using single factor logins via Remote Desktop Protocol, virtual private networks, and other remote network connection protocols. In other cases, HIVE actors bypassed multifactor authentication and gained access by exploiting vulnerabilities.
“This enabled malicious cybercriminals to log in without a prompt for the user’s second authentication factor by changing the case of the username. Some HIVE actors also gained initial access to victim’s networks by distributing phishing emails with malicious attachments and by exploiting the vulnerabilities of the operating systems of the attacked devices.”
Europol says the action has prevented the payment of more than USD 130 million of ransom payments.
Law enforcement authorities from the following countries participated in the action: Canada, France, Germany, Ireland, Lithuania, Netherlands, Norway, Portugal, Romania, Spain, Sweden, UK, USA.
Moonshot News is an independent European news website for all IT, Media and Advertising professionals, powered by women and with a focus on driving the narrative for diversity, inclusion and gender equality in the industry.
Our mission is to provide top and unbiased information for all professionals and to make sure that women get their fair share of voice in the news and in the spotlight!
We produce original content, news articles, a curated calendar of industry events and a database of women IT, Media and Advertising associations.