The Justice Department’s months-long disruption campaign and seizure of the Hive ransomware group’s IT infrastructure was a significant win for schools in the fight against ransomware.
But experts don’t expect it, or any isolated event, to ultimately diminish the persistent threat and forces that propel ransomware activity.
The Hive ransomware group targeted more than 1,500 organizations globally, including school districts, healthcare providers and software vendors, the Justice Department said last month. The group received more than $100 million in ransom payments since it was first observed in June 2021.
The takedown did not result in criminal arrests of any individuals involved or affiliated with Hive, and the predominant assumption is that the Hive members will regroup or splinter to join other ransomware groups, an effort that could already be well under way.
Law enforcement efforts against ransomware can only do so much. The ransomware threat is omnipresent, and much of the activity remains under wraps because the vast majority of target victims don’t report attacks.
“Unfortunately, during these past seven months, we found that only about 20% of Hive’s victims reported potential issues to law enforcement,” FBI Director Christopher Wray said last month in a press conference announcing the disruption of Hive’s activities.
An outstanding threat from ransomware remains at large.
Threat actor takedowns can be a Band-Aid on an open wound. It might temporarily slow, or at best halt activities in one circle of cybercrime but it’s not ultimately a deterrent in today’s environment.
“Previous disruptions have brought a small amount of temporary reprieve, so they aren’t pointless and they do send the message that we are trying to come after you,” Chester Wisniewski, field CTO of applied research at Sophos, said via email.
But the takedown “is only putting a small dent in the problem,” Wisniewski said.
Ransomware remains an open wound
Ransomware is a big business, and the rewards are often greater than the risk.
Hive was the most prolific variant of ransomware, accounting for more than 15% of the ransomware intrusions Mandiant responded to in 2022. Half of its public victims last year were based in the U.S., according to Kimberly Goody, senior manager of cyber crime analysis at Google Cloud.
“There are more than 25 major ransomware cartels globally,” Darren Guccione, CEO and co-founder of Keeper Security, said via email.
The global network of developers and licensees are “organized and methodical, especially when it comes to training new bad actors who seek to profit from this lucrative dark business,” Guccione said.
Lowering the overall impact of ransomware requires every organization to significantly improve their defense and resilience while simultaneously reducing the capabilities of threat actors.
“Both of those seem like vast, vast undertakings,” Andrew Barratt, VP of technology and enterprise accounts at the cybersecurity advisory Coalfire, said via email.
“Ransomware is highly lucrative because it provides a shortcut to results. It is really a modern tech-enabled version of extortion,” Barratt said.
The financial incentives make it less helpful to analyze ransomware from a criminal mindset.
“Just look at it from a business mindset. If you were laid off because your organization went bankrupt, would you stop looking for work? Probably not,” said Paul Furtado, VP analyst at Gartner.
“You're going to want to find some other means of gainful employment. And if that's your skill set, you'll go somewhere else, or you'll get together with a group of folks and create your own startup,” Furtado said.
Hive’s tools and tactics may live on
Experts hope law enforcement observed Hive’s tools and tactics during its months-long presence on the group’s infrastructure — an effort that could bear long-term benefits for potential ransomware victims.
“It’s possible that law enforcement has more intelligence on the groups from observing their activity, so some vulnerabilities or techniques may be at risk for the groups who may need to shift tactics to continue to be effective,” Scott Caveza, senior manager of research at Tenable, said via email.
Absent that, the tools and tactics used by Hive will likely be used by threat actors to target new victims.
The persistent presence law enforcement had on Hive’s network sets this action apart from previous takedowns, according to Mike McPherson, SVP of security operations at ReliaQuest.
“These offensive actions will cause affiliates to pause and question the ransomware organizations about their ability to provide clean tools and tactics,” said McPherson, who previously served as the special agent in charge of the FBI field office that ran the investigation into Hive.
“Casting doubt on the criminal organizations has proven to be an effective tool for law enforcement,” McPherson said.
Whether law enforcement or threat actors gain meaningful and prolonged advantages from the Hive takedown remains an open question.
Cybersecurity professionals resoundingly applauded the latest disruption, but there remains a mess of trepidation about what comes next.
“This is not a panacea for adequate investment in cybersecurity. The bad actors are still out there,” Furtado said. “They continue to morph, they continue to splinter. They are still coming after you and you still need to protect your environment.”