Leadership, Incident Response, Threat Management

Hive takedown illustrates FBI’s evolution towards victim-recovery efforts

FBI Director Christopher Wray

The public blowback was swift and fierce when reports came out following the 2021 Kaseya ransomware attack that the FBI had obtained a decryptor for REvil’s malware but chose to hold onto it in secret for more than three weeks before passing it along to victims.

The bureau was pilloried by much of the broader cybersecurity community, as well as members of Congress, for seemingly prioritizing its own investigative and law enforcement activities while leaving hundreds of Kaseya customers twisting in the wind, agonizing over whether to pay millions of dollars in ransom or refuse and see their data lost or leaked on the internet.

Months after the attack, the Washington Post reported that although they had the decryptor key needed to unlock those systems for weeks, FBI officials kept that fact under wraps as they hoped to leverage it in a future operation to disrupt REvil’s ransomware network. When FBI Director Christopher Wray appeared before legislators that same day, he argued that in addition to helping victims recover their systems and data, the FBI had an obligation to use the decryptor to further its broader law enforcement mission. He also claimed that IT security teams needed to scour the tool to ensure it wasn’t infected with malware or malicious code that could be passed on to victims.

Former Rep. Jim Langevin, D-R.I., co-founder of the Congressional Cybersecurity Caucus who built a reputation as one of the most cyber-savvy House legislators, echoed the frustration of many on the Hill and within the private sector when he chided Wray for the bureau’s response, analogizing it to the police blocking firefighters from putting out a house fire because it might damage forensic evidence that would help them investigate the arsonist.

“I would just push back and say that asset response has to be higher on the priority list. So much could have been prevented had those decryption keys been given to businesses that were impacted,” said Langevin.

Flash forward two years later, and the bureau did just that in its takedown of the Hive ransomware group’s website and servers, meriting a very different reaction from the now-retired lawmaker.

“Major kudos to The Justice Department, FBI and CISA for taking down Hive, one of the most destructive criminal ransomware groups in the world,” Langevin wrote on Twitter following news of the operation. “Thanks to their hard work, DOJ has prevented victims, like schools and hospitals, from paying $130 million in ransoms. Job well done!”

A refashioned message

The reaction from former critics like Langevin — as well as the details of the Hive takedown, public comments by FBI leadership and interviews with former government officials — indicate that the bureau may be internalizing some of the hard lessons it took from the fallout of the Kaseya incident when it comes to prioritizing victim recovery.

Austin Berglas, a former FBI cyber official, said the Kaseya and Hive operations “are things that are new situations that law enforcement and the FBI have been put into” over the past half decade as cybercrime, state-backed hacks and other forms of digital crime have become higher priorities for law enforcement and policymakers.

“I think that when you look at what happened with Kaseya and now Hive — [there were] huge lessons learned,” said Berglas, now global head of professional services at BlueVoyant, in an interview.

That learning curve includes a renewed emphasis on victim recovery, both in operational priorities and public messaging.

Whereas during the Kaseya episode the FBI opted to keep their possession of REvil’s decryptor key a secret from victims, a search warrant used to seize two U.S.-based Hive servers on Jan. 11 this year disclosed that agents had actually infiltrated the ransomware group’s network six months earlier, spending part of that time stealing over 1,000 decryptors that they then quietly passed along to over 300 victims and businesses.

While Wray told lawmakers two years ago that the three-week delay in handing over REvil’s decryptor was partly due to the need to analyze it for malware, those obstacles seemingly didn’t prevent the agency from passing keys to hundreds of Hive victims “sometimes within hours of encryption,” according to the search warrant.  

Wray and others practically treated their press conference announcing the takedown as a commercial to advertise the unique benefits that businesses and victims could potentially reap by picking up the phone and calling the FBI in the wake of an incident.

“Our actions in this investigation should speak clearly to those victims: it pays to come forward and to work with us…we need your help to stop cyber criminals to prevent future victims and in exchange, we pledge our tireless efforts to help you protect your systems and to prevent or recover losses,” Deputy Attorney General Lisa Monaco said at one point.

WASHINGTON, DC – JANUARY 26: U.S. Attorney General Merrick Garland (C), joined by Assistant Attorney General Lisa Monaco and Director of the Federal Bureau of Investigation (FBI) Christopher Wray, delivers remarks on an international ransomware enforcement action at the U.S. Justice Department on January 26, 2023 in Washington, DC. The Justic...
U.S. Attorney General Merrick Garland, center, joined by Assistant Attorney General Lisa Monaco, left, and FBI Director Christopher Wray, delivers remarks on an international ransomware enforcement action at the U.S. Justice Department on Jan. 26, 2023, in Washington.(Photo by Kevin Dietsch/Getty Images)

To be clear, there is still a fair bit we do not know about the precise circumstances behind the Hive operation, such as what pushed the FBI to move on seizing the servers and shutting down Hive’s dark net sites in January, how early the FBI used its access to Hive’s network to pilfer victim keys (Monaco said the activities went on “for months”) or precisely how the bureau balanced those needs with other investigative and disruptive priorities.

Indeed, Wray noted that alongside arrests and infrastructure disruption, efforts to claw back ransom payments and obtain decryptors for victims is increasingly how the FBI is measuring its impact in ransomware-related operations and something the public can expect the bureau to do “more and more” in future situations.

I think a lot of this is a reaction to things that they didn’t quite get right, or at least the perception that they didn’t get right, in the Kaseya case,” said Bryan Ware, a former assistant director at the Cybersecurity and Infrastructure Security Agency and is now CEO of LookingGlass Cyber Solutions. “You can’t just tell businesses not to pay the ransom but then they’re left to their own devices. This [incident] shows…that the bureau has some teeth here and is willing to be a good partner.”

A new weapon in an ongoing cyber turf battle

The Department of Justice will likely always need to walk a fine line between helping victims and gathering intelligence or moving to dismantle ransomware infrastructure before a group is potentially tipped off that their network is compromised. However, the renewed public focus on recovering lost data and getting organizations back up and running is “absolutely a message of success and something that they will use as a foundation going forward.”

“Private companies want to know, [if I] share my intelligence and share my information, what am I going to get back? That’s the question always,” said Berglas, relaying feedback the government frequently hears from cooperating businesses. “Often times we’re giving indicators of compromise and domains and IP addresses and all this stuff, but I never hear anything back from you guys. This is the [FBI’s] message, this is saying if you report these things to us, our aperture can open up, we can start helping you.”

One of the reasons the FBI and Department of Justice are increasingly emphasizing their remediation and recovery efforts these days may be because they have lost ground over the past few years to other federal agencies when it comes to being the cybersecurity communication gateway to the private sector.

Chiefly, the elevation of the Cybersecurity and Infrastructure Security Agency over the past five years has eaten into the FBI’s role as the primary federal entry point for hacked organizations.

There remain large and meaningful differences between the writs of FBI’s and CISA over cybersecurity issues. For instance, CISA has little if any authorities over traditional law enforcement investigations or prosecution of cybercrime, focusing mainly on coordinating with private sector entities and providing technical assistance to insecure organizations. It’s also far smaller, less resourced and lacks the authorities or capabilities to do anything like the Hive takedown.

Wray often likes to note that the FBI has well-staffed field offices in every state and can often be at the door of a hacked business “within an hour” of getting a call. Ware noted that despite the increased authorities and funding from Congress, CISA still lacks anything close to that kind of reach and presence, with approximately 150 cybersecurity advisors spread out across all 50 states.

“I think there is a desire to have that single front door [for the private sector] but there’s some practical challenges. One of those is that if it’s a criminal matter, CISA is not a law enforcement agency, it doesn’t have the criminal authorities, it can’t do the same kind of investigations, it can’t recover lost funds, it can’t bring the bad guys to justice,” said Ware.

WASHINGTON, DC – JANUARY 26: An image of a seized ransomeware website is displayed at a press conference where the U.S. Attorney General Merrick Garland made an announcement on an international ransomware enforcement action at the U.S. Justice Department on January 26, 2023 in Washington, DC. The Justice Department announced that the FBI has ...
An image of a seized ransomeware website is displayed at a press conference at the U.S. Justice Department on Jan. 26, 2023, in Washington. (Photo by Kevin Dietsch/Getty Images)

The flip side is that while the FBI and Wray have far more resources to bring to bear, the bureau also have a much larger mission portfolio and their top cyber officials tend to operate lower in departmental hierarchy. By contrast, CISA and its director, Jen Easterly, essentially function as the top cybersecurity authorities within the Department of Homeland Security (although technically other officials, like undersecretary Rob Silvers, sit above Easterly and wield influence over policy), allowing for a sharper focus on cyber issues.

However, when it comes to hacked businesses interfacing with the government, Congress and many private sector entities have often indicated a preference for CISA, which tends to bring far less reputational baggage and fewer mission conflicts than the bureau. That role will likely only increase as CISA finalizes new incident reporting regulations, which will put them in line to receive details from hacked critical infrastructure entities on hundreds or thousands of incidents and campaigns that otherwise may have gone unreported in previous years. Notably, when the FBI made a late push to be included as one of the lead agencies receiving said reports in real time alongside CISA, Congress rebuffed the request.

That hasn’t stopped FBI officials from continuing to insist, as Wray did at the end of the Hive presser, that the agency still has a unique federal role and capabilities that should incentivize the private sector to reach out when they are hit with a cyberattack.

“Today’s lesson for businesses large and small, for hospitals and police departments and really all the other many victims of ransomware is this: reach out to your local FBI field office today. Introduce yourself so that you know who to call if you become the victim of a cyber attack,” said Wray. “We are ready to help you build a crisis response plan so that when an intruder does come knocking, you’ll be prepared and like the Hive victims here, when you talk to us in advance…you will know how we operate quickly and quietly, giving you the assistance, the intelligence and the technical information that you want and you need.”

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds