DoJ, FBI Take Down HIVE Ransomware Group - More To Come?
1–30–2023 (Monday)
Hello and welcome to Cyber Risk at Deal Speed, your weekly video update on the one big thing in cybersecurity for private equity investors and portfolio company management teams. I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io
Today is Monday January 30th, and I’m back from a week off for a family vacation.
While I was offline, we learned about just how busy the FBI has been in combatting ransomware - the big news being the complete and total infiltration of the HIVE ransomware group, and their shutdown this week.
Let’s dive in.
Finally: Action from USG on Ransomware
New broke this week that the Department of Justice and Federal Bureau of Investigation, in conjunction with both German and Dutch law enforcement agency colleagues, have infiltrated the Hive ransomware gang since at least July of 2022, and culminated in a total shutdown of the group last week.
Deputy Attorney General Lisa O Monaco said: "Simply put, using lawful means, we hacked the hackers." This is fantastic news - and I’ve been openly critical of the apparent lack of progress coming out of the US Government, including their recent International Counter Ransomware Initiative. Turns out they’ve been more active than we knew.
For reference, Hive was a very active participant in the ransomware scene last year, with the DoJ noting their take of more than $100M in ransomware payments as a group.
The penetration and disruption of this ransomware gang saved over 1,000 victims (by distributing decryption keys), averting more than $130M in additional payments.
Not only does this activity disrupt a particularly active ransomware gang, but it sews additional paranoia and distrust amongst the other operators, many of whom are working in a new distributed model that requires some levels of trust and collaboration to succeed.
There was a good Wall Street Journal article this week highlight just how the US Intelligence Community wants to leverage this inherent distrust and use human psychology to avert cyberattacks - so we should expect to see more efforts like this. Already, General Nakasone - head of US Cyber Command - has noted publicly that his group and the NSA are working to provide “combat-capable forces in cyberspace that engage in active campaigning to disrupt adversary actions, demonstrate capabilities and resolve, shape adversary perceptions and gain warfighting advantages should deterrence fail.”
Hive operated in this new “Ransomware as a Service” and affiliate model, and used a double-extortion model - where they would exfiltrate data before encrypting it and then ransom both the key and the threat of disclosure. The affiliates would then split the take 80/20 with the Hive team - delivering additional revenue opportunities to each side of the equation.
In addition to shutting down their leak site and giving out their decryption keys, the the DOJ said it “would pursue those behind Hive until they were brought to justice.”
To that end, they are offering a $10M reward for information that “could help link the Hive ransomware group (or other threat actors) with foreign governments.”
In what almost certainly not a coincidence, the “Russian telecommunications regulator Roskomnadzor blocked access to the U.S. State Department’s Rewards for Justice website on Friday, alongside the sites for the Central Intelligence Agency and the Federal Bureau of Investigation.”
“The Rewards for Justice Program offers to pay individuals who share information “that helps protect U.S. national security,” and has for some time listed several Russian military intelligence officers among its targets.”
In another bit of news that’s likely not a coincidence, security firm Chainalysis released a report this past week that total ransomware payments were down more than 40% last year - to less than $500M, after two years of payments totaling more than $750M in both 2020 and 2021.
“However, that doesn’t mean attacks are down, or at least not as much as the drastic dropoff in payments would suggest. Instead, we believe that much of the decline is due to victim organizations increasingly refusing to pay ransomware attackers.”
Increasingly, the threat of sanctions and better functional backups has reduced this trend - but we’re still seeing the number of attacks rise year over year.
So, while this is hopeful news, it’s not the end of ransomware and we need to make sure that our portfolio companies and those we’re acquiring are prepared to detect, defend against, and recover from an ever-changing ransomware landscape.
Fundraising
Both of the last two weeks have turned in more than $12B in newly committed funds, putting us a a pretty solid start for 2023 - nearly $70B in January alone, at an average of more than $17B/week.
There have already been some big fund announcements today - so we’re going to see that January total rise, and are off to a really solid start for Q1 23. All of this dry powder should bolster dealflow as we come out of the holiday season, and get things in gear. Macro factors remain frothy, but I expect the deals to continue - both the high volume of small rollups and the large take privates. Stay tuned!
You can find all the links to the stories we covered in the links below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next Monday for another edition of Cyber Risk at Deal Speed.
Links
https://www.justice.gov/opa/pr/us-department-justice-disrupts-hive-ransomware-variant
https://www.bbc.com/news/technology-64418723
https://therecord.media/russia-blocks-access-to-us-rewards-for-justice-fbi-and-cia-websites/
https://blog.chainalysis.com/reports/crypto-ransomware-revenue-down-as-victims-refuse-to-pay/