Two weeks ago the U.S. Department of Justice (DOJ) announced the recent takedown of a notorious ransomware operation called Hive.
As Deputy Attorney General Lisa Monaco put it, “In a 21st-century cyber stakeout, our investigative team turned the tables on Hive, swiping their decryption keys, passing them to victims, and ultimately averting more than $130 million in ransomware payments.”
Embedded in the body of the press release is a copy of the DOJ affidavit submitted to the court to execute a warrant on the Hive servers.
It was submitted to show probable cause for the requested warrant.
The affidavit is twenty-four (24) pages—legally constructed for a judge’s review.
I have edited just a few excerpts that describe the Hive set-up and give us a stunning partial visual of the navigation services made available by Hive for their criminal affiliates.
What follows are quotes and screenshots from the DOJ affidavit:
“9. Hive uses a ransomware-as-a-service (“RaaS”) model featuring administrators, sometimes called developers, and affiliates (collectively, the “Hive actors”).
“RaaS is a subscription-based model where the developers or administrators develop a ransomware strain and create an easy-to-use interface with which to operate it and then recruit affiliates to deploy the ransomware against victims.
“Affiliates identify targets and deploy this readymade malicious software to attack victims and then earn a percentage of each successful ransom payment
“10. From victim reporting, the FBI has learned that Hive actors employ a double extortion model of attack. Before encrypting the victim system, the affiliate will exfiltrate or steal sensitive data.
“The affiliate then seeks a ransom for both the decryption key necessary to decrypt the victim’s system and a promise to not publish the stolen data.
“Hive actors frequently target the most sensitive data in a victim’s system to increase the pressure to pay.
“After a victim pays, affiliates and administrators split the ransom 80/20. Hive publishes the data of victims who do not pay on the Hive Leak Site.”
The affidavit goes into detail about how the criminals hide within the Tor dark web network.
“C. Background Concerning the Tor Network
“15. The Hive network has been able to remain online and beyond the reach of U.S. and foreign law enforcement because it is set up as a “hidden service” on the “Tor network.”
“The Tor network is designed specifically to facilitate anonymous communication over the Internet.
“In order to access the Tor network, a user must install Tor software either by downloading an add-on to the user’s web browser or by downloading the free “Tor browser bundle”…
“Use of the Tor software bounces a user’s communications around a distributed network of relay computers run by volunteers all around the world, thereby masking the user’s actual IP address which could otherwise be used to identify user.
“Because of the way Tor routes communications through other computers, traditional IP identification techniques are not viable.
“When a user on the Tor network accesses a website, for example, the IP address of a Tor “exit node,” rather than the user’s actual IP address, shows up in the website’s IP log.
“An exit node is the last Tor network computer through which a user’s communications were routed. There is no practical way to trace the user’s actual IP address back through that Tor exit node IP address.
“16. Within the Tor network, entire websites can be set up as “hidden services.” “Hidden services” operate the same as regular public websites with one critical exception.
“The IP address for the web server is hidden and instead is replaced with a Tor-based web address, which is a series of algorithm generated characters, such as “asdlk8fs9dflku7f” followed by the suffix “.onion.”
“A user can only reach these “hidden services” if the user is using the Tor client and operating in the Tor network. And unlike an open Internet website, it is not possible to determine through public lookups the IP address of a computer hosting a Tor “hidden service.”
“Neither law enforcement nor users can therefore determine the location of the computer that hosts the website through those public lookups.
“A criminal suspect’s use of Tor accordingly makes it extremely difficult for law enforcement agents who are investigating a Tor hidden service to detect the host’s, administrator’s, or users’ actual IP addresses or physical locations.
“17. A Tor hidden service generates its .onion address by creating “public/private keypairs.”
“Public/private key pairs are elements of “asymmetric cryptography,” the same sort of cryptography used as the bases for PGP2 keys and many cryptocurrencies.
“In the case of Tor hidden services, the public key, represented as the .onion address, may be widely disseminated to users seeking to access the hidden service. The private key controls access to the .onion.
“D. Hive’s Tor Infrastructure
18. To facilitate the RaaS model, the Hive administrators set up a network of servers to run their online criminal business.
“The public-facing side or “frontend” of the network consists of four Tor-accessible websites or “Panels”, each for a different type of user/audience.
“A separate server used by the Hive actors but inaccessible to the public (the “backend” server) hosts a database that supports the front-facing Tor panels and leak site.
“The specific function of each panel represented in this screenshot will be discussed further below.
“19. Logging into the user interface hosted on the Admin Panel, the administrator is able to manage the Hive database, track attacks, communicate with affiliates about their campaigns against specific victims and negotiate ransom payments with victims.
“A screenshot of the login page with the Hive honeycomb motif is below:
“20. Through the Affiliate Panel, the affiliate creates a record for each victim, enters information about the victim, downloads the Hive ransomware for the infection, and then tracks progress including the creation date, encryption date, and payment date.
“The data entered via the Affiliate Panel are stored in the backend database.
“Affiliates can also track negotiations with victims and request their cut of the ransom payment by clicking the “pay out” button as seen in the screenshot below:
“21. From victim reporting, the FBI has learned that when a victim is encrypted, the Hive actor leaves a ransom note in the victim’s system with login credentials to the Hive Victim Panel, which the Hive actors refer to as the “Sales Department.”
“Through the Victim Panel, the victim can negotiate the ransom payment, receive proof of exfiltrated data and payment instructions, and receive the decryption key after making a ransom payment.”
FINAL THOUGHT
The ability of law enforcement to infiltrate a ransomware operation, camp out in it, and disrupt it before they could carry out their intent to further disrupt and extort the victim is an important achievement. Well done FBI.
Disclaimer: IPProbe.Global is a service to the professional IP community. While every effort has been made to check information in this blog, we provide no guarantees or warranties, express or implied, regarding the content provided in IPProbe.Global. We disclaim all liability and responsibility for the qualification or accuracy of representations made by the contributors or for any disputes that may arise. It is the responsibility of the readers to independently investigate and verify the credentials of such persons and the accuracy and validity of the information provided by them. This blog is for general information only and not intended to provide legal or other professional advice.
0 comments on “FBI Ransomware 21st-Century Stake-Out”