www.npr.org
Open in
urlscan Pro
2a02:26f0:480:4a5::1155
Public Scan
URL:
https://www.npr.org/2023/01/26/1151696092/fbi-says-it-hacked-the-hackers-to-shut-down-major-ransomware-group
Submission: On May 02 via manual from US — Scanned from DE
Submission: On May 02 via manual from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
Accessibility links
* Skip to main content
* Keyboard shortcuts for audio player
NPR 24 Hour Program StreamOn Air Now
* Hourly News
* Listen Live
* Playlist
* Open Navigation Menu
*
*
* Sign In
* NPR Shop
* Donate
> Close Navigation Menu
* Home
* News Expand/collapse submenu for News
* National
* World
* Politics
* Business
* Health
* Science
* Climate
* Race
* Culture Expand/collapse submenu for Culture
* Books
* Movies
* Television
* Pop Culture
* Food
* Art & Design
* Performing Arts
* Life Kit
* Music Expand/collapse submenu for Music
* Tiny Desk
* #NowPlaying
* All Songs Considered
* Music Features
* Live Sessions
* Podcasts & Shows Expand/collapse submenu for Podcasts & Shows
Daily
* Morning Edition
* Weekend Edition Saturday
* Weekend Edition Sunday
* All Things Considered
* Fresh Air
* Up First
Featured
* Taking Cover
* Louder Than A Riot
* It's Been a Minute
* Life Kit
* More Podcasts & Shows
* Search
* Sign In
* NPR Shop
*
* Tiny Desk
* #NowPlaying
* All Songs Considered
* Music Features
* Live Sessions
* About NPR
* Diversity
* Organization
* Support
* Careers
* Connect
* Press
* Ethics
FBI says it 'hacked the hackers' to shut down major ransomware group The FBI
spent months spying on the ransomware group Hive and secretly helped victims
before shutting the entire operation down.
NATIONAL SECURITY
FBI SAYS IT 'HACKED THE HACKERS' TO SHUT DOWN MAJOR RANSOMWARE GROUP
January 26, 202311:50 AM ET
Jenna McLaughlin
Enlarge this image
U.S. Attorney General Merrick Garland speaks during a news conference with
Deputy Attorney General Lisa Monaco (left), and FBI Director Christopher Wray at
the Department of Justice in Washington on Thursday. Ting Shen/Bloomberg via
Getty Images hide caption
toggle caption
Ting Shen/Bloomberg via Getty Images
U.S. Attorney General Merrick Garland speaks during a news conference with
Deputy Attorney General Lisa Monaco (left), and FBI Director Christopher Wray at
the Department of Justice in Washington on Thursday.
Ting Shen/Bloomberg via Getty Images
WASHINGTON — The Department of Justice on Thursday announced the destruction of
the Russian-linked Hive ransomware group after a global law enforcement
operation that ran for months.
The criminal syndicate sold ransomware tools and services to affiliates around
the world starting in the summer of 2021, at the height of the COVID-19
pandemic.
They received more than $100 million in profits from victims who paid to get
their data back or prevent it from being leaked. According to the Justice
Department, Hive targeted more than 1,500 victims in over 80 countries, from
hospitals to Costa Rica's public health agency, crippling businesses and harming
critical infrastructure.
The FBI says it hacked into Hive's networks in July 2022, burrowing into its
digital infrastructure to spy on the group's operations and gather important
intelligence before ultimately dismantling the operation on Wednesday night.
"Simply put, using lawful means, we hacked the hackers," explained Deputy
Attorney General Lisa Monaco during a press conference Thursday.
ASSISTING THE VICTIMS
According to FBI Director Chris Wray, law enforcement officers were able to
provide digital keys to victims who had notified the FBI. This allowed the
victims to retrieve their files and return to business without paying a ransom.
The Justice Department claims the intervention saved over $130 million in ransom
payments, a figure that could have been higher had more victims come forward.
Additionally, the FBI and its partners in Europol and German and Dutch law
enforcement were able to completely take over Hive's digital infrastructure,
from its command and control servers to its darkweb extortion website where it
advertises its victims and dumps stolen data.
On Wednesday evening, the leak site was replaced with a banner from the
international group of law enforcement agencies announcing the seizure.
The infiltration and ultimate disruption of the Hive ransomware group is the
latest effort by the Department of Justice to fight back against the plague of
damaging and costly ransomware attacks in recent years.
In July 2021, the Biden administration launched the Ransomware and Digital
Extortion Task Force, bringing together resources from the Justice Department
and the Department of Homeland Security to seek and act on intelligence about
ransomware.
The Justice Department has also sanctioned tools ransomware groups use to hide
and move their money, seized cryptocurrency wallets belonging to ransomware
groups, and arrested prominent ransomware actors.
A WARNING TO OTHER RANSOMWARE GROUPS
The operation targeting Hive continues in a pattern of using several different
tools to respond to ransomware groups in different ways.
"We've made it clear that we will strike back against cybercrime using any means
possible," said Monaco, the deputy attorney general.
The Justice Department did not announce any specific arrests or information
about how it located Hive's servers. When asked whether the group has ties to
Russia or whether arrests might be announced in the future, Attorney General
Merrick Garland said he wouldn't comment further on ongoing investigations.
Ransomware expert and cybersecurity analyst Allan Liska explained that the
Justice Department's decision to disrupt Hive makes sense, because the
intelligence value of hiding in their networks was decreasing.
"I think one of the big reasons is we've seen a significant slowdown in Hive
attacks," he said. Without revenue from victims, Hive may have made the choice
to shut down, he said. "So it makes sense as a good time to go ahead and seize
everything and grab as much intelligence as you can from them."
Liska said he also expects the Justice Department to announce arrests in the
future. But perhaps most importantly, the operation should inspire fear that the
FBI is lurking in the networks of other ransomware groups, he added.
"So it's a pretty impressive operation overall. And I like the fact that they
were very clear that, 'Yeah, we infiltrated their network and we spent what is
it now, eight months in that network,'" said Liska. "That has got to have a
whole lot of other ransomware groups really, really nervous right now."
While Hive has not been one of the most damaging ransomware groups, it was
responsible for a large number of incidents.
According to Kimberly Goody, a senior manager at Mandiant Threat Intelligence
and Google Cloud, Hive ransomware was found in over 15 percent of the intrusions
her team responded to in 2022, over 50 percent of them in the United States and
many impacting the healthcare sector.
Hive has been destroyed, but ransomware experts said the operators will most
likely join other groups or rebuild, a common phenomenon in what's become a
global industry.
Additionally, members in Russia will likely continue to operate with impunity,
as the Russian state has often declined to pursue investigations, arrests, or
extradite those charged to the United States.
However, the disruption forces those operators to pause and do costly and
time-consuming work to rebuild.
"Actions like this add friction to ransomware operations. Hive may have to
regroup, retool, and even rebrand," said John Hultquist, the head of Mandiant
Threat Intelligence within Google Cloud.
"The disruption of the Hive service won't cause a serious drop in overall
ransomware activity, but it is a blow to a dangerous group that has endangered
lives by attacking the healthcare system," he said.
* ransomware
* FBI
* Facebook
* Flipboard
* Email
MORE STORIES FROM NPR
ASIA
JAPAN'S KISHIDA PLANS TO VISIT YOON IN SOUTH KOREA BEFORE G-7
NATIONAL SECURITY
THE U.S. EVACUATES SOME 1,000 AMERICANS FROM SUDAN
WORLD
THE U.S.-SOUTH KOREA WASHINGTON DECLARATION MEETS WITH CRITICISM IN SEOUL
NATIONAL SECURITY
PROSECUTORS SAY SUSPECTED LEAKER OF PENTAGON DOCUMENTS HAD A WEAPONS CACHE
NATIONAL
AN ARMY FORT NAMED AFTER ROBERT E. LEE NOW HONORS 2 PIONEERING BLACK OFFICERS
WORLD
CHINA'S XI CALLS UKRAINE'S ZELENSKYY, AFTER WEEKS OF INTENSIFYING PRESSURE TO DO
SO
POPULAR ON NPR.ORG
CULTURE
HERE ARE ALL THE BEST LOOKS FROM THE MET GALA 2023
SPORTS
WHY AN NBA STAR'S RESPONSE TO A REPORTER'S QUESTION ABOUT LOSING HIT A NERVE
POP CULTURE
THE GUY WHO ATE A $120,000 BANANA IN AN ART MUSEUM SAYS HE WAS JUST HUNGRY
ECONOMY
THIS COMPANY ADOPTED AI. HERE'S WHAT HAPPENED TO ITS HUMAN WORKERS
OBITUARIES
GORDON LIGHTFOOT, CANADIAN FOLK LEGEND, DIES AT 84
NATIONAL
A PILOT TAKES A BIG RISK TO SAVE A SKYDIVER'S LIFE
NPR EDITORS' PICKS
TELEVISION
THIS FAKE 'JURY DUTY' REALLY PUT JAMES MARSDEN'S IMPROV CHOPS ON TRIAL
GLOBAL HEALTH
THEY'RE TRYING TO CURE NODDING SYNDROME. FIRST THEY NEED TO ZERO IN ON THE CAUSE
NATIONAL
RECORD NUMBER OF PEOPLE ARRESTED IN AN INTERNATIONAL FENTANYL OPERATION, DOJ
SAYS
ELECTIONS
VOTER TURNOUT FOR THE 2022 MIDTERM ELECTIONS WAS THE 2ND HIGHEST SINCE 2000
HEALTH
GENE THERAPY FOR MUSCULAR DYSTROPHY STIRS HOPES AND CONTROVERSY
BUSINESS
HAS JPMORGAN CHASE GROWN TOO LARGE? A FORMER WHITE HOUSE ECONOMIC ADVISER WEIGHS
IN
READ & LISTEN
* Home
* News
* Culture
* Music
* Podcasts & Shows
CONNECT
* Newsletters
* Facebook
* Instagram
* Press
* Contact & Help
ABOUT NPR
* Overview
* Diversity
* Accessibility
* Ethics
* Finances
* Public Editor
* Corrections
GET INVOLVED
* Support Public Radio
* Sponsor NPR
* NPR Careers
* NPR Shop
* NPR Events
* NPR Extra
* Terms of Use
* Privacy
* Your Privacy Choices
* Text Only
* © 2023 npr
Sponsor Message
Become an NPR sponsor
COOKIE CONSENT & SPONSORSHIP CHOICES
We and our partners store and access information on your device, such as unique
IDs in cookies to process personal data. You may accept and manage your choices
at any time by clicking `Manage Preferences`, including your right to object
where legitimate interest is relied upon. Your choices will be signaled to our
partners and will not affect your browsing.
By clicking “Accept All,” you agree to the use of cookies, similar tracking and
storage technologies, and information about your device to enhance your viewing,
listening and user experience, personalize content, personalize messages from
NPR’s sponsors, provide social media features, and analyze NPR’s traffic. This
information is shared with social media, sponsorship, analytics, and other
vendors or service providers.
WE AND OUR PARTNERS PROCESS DATA TO PROVIDE:
Actively scan device characteristics for identification. Store and/or access
information on a device. Personalised ads and content, ad and content
measurement, audience insights and product development. List of Partners
(service providers or vendors)
Accept All Reject All Manage Preferences
MANAGE PREFERENCES
We process your data to deliver content or advertisements and measure the
delivery of such content or advertisements to extract insights about our
website. We share this information with our partners on the basis of consent and
legitimate interest. You may exercise your right to consent or object to a
legitimate interest, based on a specific purpose below or at a partner level in
the link under each purpose. These choices will be signaled to our vendors
participating in the Transparency and Consent Framework.
Allow All
MANAGE CONSENT PREFERENCES
STRICTLY NECESSARY OR ESSENTIAL COOKIES
Always Active
These cookies are essential to provide you with services available through the
NPR Services and to enable you to use some of their features. These cookies are
necessary for the website to function and cannot be switched off in our systems.
They are usually set in response to actions made by you that amount to a request
for services, such as setting your privacy preferences, logging in, or filling
in forms. You can set your browser to block or alert you about these cookies,
but some parts of the site will not then work. Without these cookies, the
services that you have asked for cannot be provided, and we only use these
cookies to provide you with those services.
Cookies Details
PERFORMANCE AND ANALYTICS COOKIES
Performance and Analytics Cookies
These cookies are used to collect information about traffic to our Services and
how users interact with the NPR Services. The information collected includes the
number of visitors to the NPR Services, the websites that referred visitors to
the NPR Services, the pages that they visited on the NPR Services, what time of
day they visited the NPR Services, whether they have visited the NPR Services
before, and other similar information. We use this information to help operate
the NPR Services more efficiently, to gather broad demographic information and
to monitor the level of activity on the NPR Services. NPR's third-party service
providers that measure and analyze the use of the NPR Services for NPR also use
their own cookies. NPR's third-party analytics service providers use cookies
across multiple sites to collect visitor data (such as data related to age,
gender and visitor interests).
Cookies Details
TARGETING AND SPONSOR COOKIES
Targeting and Sponsor Cookies
These cookies track your browsing habits or other information, such as location,
to enable us to show sponsorship credits which are more likely to be of interest
to you. These cookies use information about your browsing history to group you
with other users who have similar interests. Based on that information, and with
our permission, we and our sponsors can place cookies to enable us or our
sponsors to show sponsorship credits and other messages that we think will be
relevant to your interests while you are using third-party services. NPR works
with third-party vendors that may serve sponsorship credits or other messages to
you on other websites after you visit the NPR Services. These third-party
vendors use their own cookies to recognize you as an NPR Services visitor and to
serve you sponsorship credits or other messages on other websites that they
believe you will find most relevant. If you do not allow these cookies, you may
still receive sponsorship or marketing messages, but they may not be targeted to
your interests.
Cookies Details
FUNCTIONAL COOKIES
Functional Cookies
These cookies allow NPR Services to remember choices you make when you use them,
such as remembering your Member station preferences and remembering your account
details. The purpose of these cookies is to provide you with a more personal
experience and to avoid you having to re-enter your preferences every time you
visit the NPR Services. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
Cookies Details
STORE AND/OR ACCESS INFORMATION ON A DEVICE
Store and/or access information on a device
Cookies, device identifiers, or other information can be stored or accessed on
your device for the purposes presented to you.
List of IAB Vendors | View Full Legal Text Opens in a new Tab
PERSONALISED ADS AND CONTENT, AD AND CONTENT MEASUREMENT, AUDIENCE INSIGHTS AND
PRODUCT DEVELOPMENT
Personalised ads and content, ad and content measurement, audience insights and
product development
* SELECT BASIC ADS
Switch Label
Ads can be shown to you based on the content you’re viewing, the app you’re
using, your approximate location, or your device type.
Object to Legitimate Interests Remove Objection
* CREATE A PERSONALISED ADS PROFILE
Switch Label
A profile can be built about you and your interests to show you personalised
ads that are relevant to you.
Object to Legitimate Interests Remove Objection
* SELECT PERSONALISED ADS
Switch Label
Personalised ads can be shown to you based on a profile about you.
Object to Legitimate Interests Remove Objection
* CREATE A PERSONALISED CONTENT PROFILE
Switch Label
A profile can be built about you and your interests to show you personalised
content that is relevant to you.
Object to Legitimate Interests Remove Objection
* SELECT PERSONALISED CONTENT
Switch Label
Personalised content can be shown to you based on a profile about you.
Object to Legitimate Interests Remove Objection
* MEASURE AD PERFORMANCE
Switch Label
The performance and effectiveness of ads that you see or interact with can be
measured.
Object to Legitimate Interests Remove Objection
* MEASURE CONTENT PERFORMANCE
Switch Label
The performance and effectiveness of content that you see or interact with
can be measured.
Object to Legitimate Interests Remove Objection
* APPLY MARKET RESEARCH TO GENERATE AUDIENCE INSIGHTS
Switch Label
Market research can be used to learn more about the audiences who visit
sites/apps and view ads.
Object to Legitimate Interests Remove Objection
* DEVELOP AND IMPROVE PRODUCTS
Switch Label
Your data can be used to improve existing systems and software, and to
develop new products
Object to Legitimate Interests Remove Objection
List of IAB Vendors | View Full Legal Text Opens in a new Tab
ACTIVELY SCAN DEVICE CHARACTERISTICS FOR IDENTIFICATION
Actively scan device characteristics for identification
Your device can be identified based on a scan of your device's unique
combination of characteristics.
List of IAB Vendors | View Full Legal Text Opens in a new Tab
ENSURE SECURITY, PREVENT FRAUD, AND DEBUG
Always Active
Your data can be used to monitor for and prevent fraudulent activity, and ensure
systems and processes work properly and securely.
List of IAB Vendors | View Full Legal Text Opens in a new Tab
TECHNICALLY DELIVER ADS OR CONTENT
Always Active
Your device can receive and send information that allows you to see and interact
with ads and content.
List of IAB Vendors | View Full Legal Text Opens in a new Tab
MATCH AND COMBINE OFFLINE DATA SOURCES
Always Active
Data from offline data sources can be combined with your online activity in
support of one or more purposes
List of IAB Vendors | View Full Legal Text Opens in a new Tab
LINK DIFFERENT DEVICES
Always Active
Different devices can be determined as belonging to you or your household in
support of one or more of purposes.
List of IAB Vendors | View Full Legal Text Opens in a new Tab
RECEIVE AND USE AUTOMATICALLY-SENT DEVICE CHARACTERISTICS FOR IDENTIFICATION
Always Active
Your device might be distinguished from other devices based on information it
automatically sends, such as IP address or browser type.
List of IAB Vendors | View Full Legal Text Opens in a new Tab
Back Button
PERFORMANCE COOKIES
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
*
View Cookies
* Name
cookie name
Reject All Confirm My Choices