The FBI and international partners have at least temporarily dismantled the network of a prolific ransomware gang they infiltrated last year, saving victims including hospitals and school districts a potential 130 million dollars (£105 million) in ransom payments, US officials announced.
“Simply put, using lawful means we hacked the hackers,” deputy attorney general Lisa Monaco said at a news conference.
Officials said the targeted syndicate, known as Hive, operates one of the world’s top five ransomware networks and has heavily targeted hospitals and other healthcare providers.
The FBI quietly gained access to its control panel in July and was able to obtain software keys to decrypt the network of some 1,300 victims globally, said FBI director Christopher Wray.
It was not immediately clear how the takedown will affect Hive’s long-term operations, however.
Officials did not announce any arrests but said they were building a map of Hive’s administrators, who manage the software, and affiliates, who infect targets and negotiate with victims, to pursue prosecutions.
“I think anyone involved with Hive should be concerned because this investigation is ongoing,” Mr Wray said.
On Wednesday night, FBI agents seized computer infrastructure in Los Angeles that was used to support the network.
Two Hive dark web sites were seized: one used for leaking data of non-paying victims, the other for negotiating extortion payments.
“Cybercrime is a constantly evolving threat, but as I have said before, the Justice Department will spare no resource to bring to justice anyone anywhere that targets the United States with a ransomware attack,” Mr Garland said.
US attorney general Merrick Garland said that thanks to the infiltration, led by the FBI’s Tampa office, agents were able in one instance to disrupt a Hive attack against a Texas school district, stopping it from making a five million dollar (£4 million) payment.
The ransomware scourge is the world’s biggest cybercrime headache, with everything from Britain’s postal service and Ireland’s national health service to Costa Rica’s government crippled by Russian-speaking syndicates that enjoy Kremlin protection.
The criminals lock up, or encrypt, victims’ computer networks, steal sensitive data and demand large sums.
As an example of Hive’s threat, Mr Garland said it had prevented a hospital in the Midwest in 2021 from accepting new patients at the height of the Covid-19 epidemic.
The online takedown notice, alternating in English and Russian, mentions Europol and German federal and state police as partners in the effort.
The German news agency dpa quoted the public prosecutor’s office in Stuttgart as saying cyber specialists in the south-western town of Esslingen were decisive in penetrating Hive’s criminal IT infrastructure after a local company was victimised.
In a statement, Europol said companies in more than 80 countries, including oil multinationals, have been compromised by Hive.
It said Europol assisted with cryptocurrency, malware and other analysis, and that law enforcement agencies from 13 countries were involved in the effort.
It said criminals using Hive ransomware targeted a wide range of businesses and critical infrastructure, including government, manufacturing and especially healthcare and public health facilities.
The threat captured the attention of the highest levels of the Biden administration two years ago after a series of high-profile attacks that threatened critical infrastructure and global industry.
In May 2021, for instance, hackers targeted the nation’s largest fuel pipeline, causing the operators to briefly shut it down and make a multimillion-dollar ransom payment that the US government largely recovered.
Federal officials have used a variety of tools to try to combat the problem, but conventional law enforcement measures such as arrests and prosecutions have done little to frustrate the criminals.
The FBI has obtained access to decryption keys before.
It did so in the case of a major 2021 ransomware attack on Kaseya, a company whose software runs hundreds of websites.
It took some heat, however, for waiting several weeks to help victims unlock afflicted networks.