Peel Regional Police part of international takedown of ransomware group infrastructure

Peel Regional Police were the lead Canadian law enforcement agency involved in a multi-year, cross-border investigation that has culminated in the “infrastructure takedown and domain seizure” of a dreaded ransomware group that’s bilked hundreds of millions of dollars from victims around the world.

In a release Thursday, Peel police said they began their probe into the HIVE ransomware group in the fall of 2021, when a business in Peel Region was victimized.

“The business had “their entire computer network was rendered inoperable and a significant amount of data was compromised,” Peel police said in a release.

“The suspects identified themselves as the HIVE Ransomware Group and demanded payment in Bitcoin (BTC) to decrypt the compromised data,” police added. “The victim did not to pay the ransom, restoring their data via backups, a critical line of defense against ransomware attacks, and contacted police.”

Since then, police said at least 71 Canadian businesses and organization have been victimized.

The scope of the investigation soon spanned the entire world and included the FBI, Europol, and the Joint Cybercrime Taskforce.

Investigators say the hackers access secure computer systems to gain access to secure information while debilitating the system. Ransom is then requested to restore the system.

“The secure information can also be stolen from the breached computer system and sold on a black market for a significant amount,” police said.

SickKids hospital in Toronto was recently targeted in a ransomware attack, but Peel police could not confirm if that attack was connected to the HIVE probe.

 ‘We hacked the hackers’: FBI

The FBI says it has at least temporarily dismantled the HIVE network, saving victims including hospitals and school districts a potential $130 million in ransom payments, Attorney General Merrick Garland and other U.S. officials announced Thursday.

“Simply put, using lawful means we hacked the hackers,” Deputy Attorney General Lisa Monaco said at a news conference.

The FBI quietly gained access to its control panel in July and was able to obtain software keys to decrypt the network of some 1,300 victims globally, said FBI Director Christopher Wray.

It was not immediately clear how the takedown will affect HIVE’s long-term operations, however.

Officials did not announce any arrests but said they were building a map of HIVE’s administrators, who manage the software, and affiliates, who infect targets and negotiate with victims, to pursue prosecutions.

“I think anyone involved with HIVE should be concerned because this investigation is ongoing,” Wray said.

On Wednesday night, FBI agents seized computer infrastructure in Los Angeles that was used to support the network. HIVE’s dark web site was also seized.

“Cybercrime is a constantly evolving threat, but as I have said before, the Justice Department will spare no resource to bring to justice anyone anywhere that targets the United States with a ransomware attack,” Wray said.

Garland said that thanks to the infiltration, led by the FBI’s Tampa office, agents were able in one instance to disrupt a HIVE attack against a Texas school district, stopping it from making a $5 million payment.

The operation is a big win for the Justice Department.

The ransomware scourge is the world’s biggest cybercrime headache with everything from Britain’s postal service and Ireland’s national health service to Costa Rica’s government crippled by Russian-speaking syndicates that enjoy Kremlin protection.

As an example of HIVE’s threat, Garland said it had prevented a hospital in the Midwest in 2021 from accepting new patients at the height of the COVID-19 epidemic.

A U.S. government advisory last year said HIVE ransomware actors victimized over 1,300 companies worldwide from June 2021 through November 2022, receiving approximately $100 million in ransom payments. It said criminals using HIVE ransomware targeted a wide range of businesses and critical infrastructure, including government, manufacturing and especially health care and public health facilities.

The threat captured the attention of the highest levels of the Biden administration two years ago after a series of high-profile attacks that threatened critical infrastructure and global industry.

In May 2021, for instance, hackers targeted the nation’s largest fuel pipeline, causing the operators to briefly shut it down and make a multimillion-dollar ransom payment that the U.S. government largely recovered.

Federal officials have used a variety of tools to try to combat the problem, but conventional law enforcement measures such as arrests and prosecutions have done little to frustrate the criminals.

The FBI has obtained access to decryption keys before. It did so in the case of a major 2021 ransomware attack on Kaseya, a company whose software runs hundreds of websites. It took some heat, however, for waiting several weeks to help victims unlock afflicted networks.