Police smash global ransomware cartel saving companies $130 million

Law enforcement agencies from across the world have smashed a global cyber-criminal organisation which is suspected of receiving ransoms in excess of 100 million Euros in the past year.

Europol supported the German, Dutch and US authorities in taking down the infrastructure of the prolific HIVE ransomware. The international operation involved authorities from 13 countries in total. Law enforcement identified the decryption keys and shared them with many of the victims, helping them regain access to their data without paying the cybercriminals.

“In the last year, HIVE ransomware has been identified as a major threat as it has been used to compromise and encrypt the data and computer systems of large IT and oil multinationals in the EU and the USA. Since June 2021, over 1500 companies from over 80 countries worldwide have fallen victim to HIVE associates and lost almost EUR 100 million in ransom payments,” Europol explained. “Affiliates executed the cyberattacks, but the HIVE ransomware was created, maintained and updated by developers.”

It added affiliates used the double extortion model of ‘ransomware-as-a-service’; first, they copied data and then encrypted the files. Then, they asked for a ransom to both decrypt the files and to not publish the stolen data on the Hive Leak Site. When the victims paid, the ransom was then split between affiliates (who received 80 %) and developers (who received 20%).

Other significant ransomware groups have also used this so-called ransomware-as-a-service (RaaS) model to perpetrate high-level attacks in the last few years.

“This has included asking for millions of euros in ransoms to decrypt affected systems, often in companies maintaining critical infrastructures,” Europol explained. “Since June 2021, criminals have used HIVE ransomware to target a wide range of businesses and critical infrastructure sectors, including government facilities, telecommunication companies, manufacturing, information technology, and healthcare and public health.”

In one major attack, HIVE affiliates targeted a hospital, which led to severe repercussions about how the hospital could deal with the COVID-19 pandemic. Due to the attack, the hospital had to resort to analogue methods to treat existing patients, and was unable to accept new ones.

Europol added affiliates attacked companies in different ways. Some HIVE actors gained access to victim’s networks by using single factor logins via Remote Desktop Protocol, virtual private networks, and other remote network connection protocols. In other cases, HIVE actors bypassed multifactor authentication and gained access by exploiting vulnerabilities. This enabled malicious cybercriminals to log in without a prompt for the user’s second authentication factor by changing the case of the username. Some HIVE actors also gained initial access to victim’s networks by distributing phishing emails with malicious attachments and by exploiting the vulnerabilities of the operating systems of the attacked devices.

About EUR 120 million was saved thanks to mitigation efforts.

Europol said it streamlined victim mitigation efforts with other EU countries, which prevented private companies from falling victim to HIVE ransomware.

“Law enforcement provided the decryption key to companies which had been compromised in order to help them decrypt their data without paying the ransom,” It added. “This effort has prevented the payment of more than $130 million or the equivalent of about EUR 120 million of ransom payments.”

Europol added affiliates attacked companies in different ways. Some HIVE actors gained access to victim’s networks by using single factor logins via Remote Desktop Protocol, virtual private networks, and other remote network connection protocols.

SHARE: