Investigators from Germany, the USA and the Netherlands have broken up the global ransomware network "Hive". The German prosecutors stated that of the more than 1.500 cyber attacks on organizations worldwide, 70 attacks were in Germany.
Comments from experts Kimberly Goody and John Hultquist on the Hive network and the likely consequences of the takedown:
“In our 2022 Incident Response research, Hive was the most active of all ransomware families observed: Hive was responsible for more than 15 percent of the ransomware attacks we responded to. Those affected come from a large number of countries. However, the group has had its greatest impact in the United States, where 50 percent of all known victims are based. The actors behind the operation continued to develop Hive and rewrote the ransomware using the Rust programming language in mid-2022. This was probably intended to complicate analysis and prevent detection.
Wide attacker toolbox
Since its release, we have observed that several actors have used the Hive ransomware. The most active player we found last year was UNC2727. The group's operations are noteworthy because they have regularly impacted the healthcare sector.
Hive wasn't the only ransomware in the group's toolbox. According to our observations, she has used CONTI and MOUNTLOCKER in the past. This shows that some players already have relationships within the broad ecosystem that could allow them to easily rebrand their operations.” (Kimberly Goody, Senior Manager, Client Intelligence at Google Cloud)
Ransomware activity is barely declining
“Breaking up the Hive service will not result in a significant decrease in overall ransomware activity. Still, it's a blow to a dangerous group that has endangered lives by attacking healthcare systems. Unfortunately, at the heart of the ransomware problem lies a criminal marketplace where a competitor to Hive will stand by to offer a similar service in its absence. However, they may think twice before allowing their ransomware to be used to attack hospitals.
Better defense needed
Actions like breaking up Hive add friction to ransomware operations. Hive may need to regroup, retool, and even change image. When arrests aren't possible, we need to focus on tactical solutions and better defenses. Until we are able to tackle the Russian safe-haven and resilient cybercrime market, that is what we will need to focus on.” (John Hultquist, Head of Client Threat Intelligence at Google Cloud)
More at Mandiant.de
About Mandiant Mandiant is a recognized leader in dynamic cyber defense, threat intelligence and incident response. With decades of experience on the cyber frontline, Mandiant helps organizations confidently and proactively defend against cyber threats and respond to attacks. Mandiant is now part of Google Cloud.
Matching articles on the topic