The following podcast contains advertising.

To access an ad-free version of the LawFair podcast,

become a material supporter of LawFair at patreon.com slash law fair.

That's patreon.com slash law fair.

Also, check out LawFair's other podcast offerings,

rational security, chatter, law fair no bull, and the aftermath.

And so we are seeing them lean forward in making the case for why coming forward to law enforcement is worth victims time.

And there are a few things that I can think of that are more valuable to those victims than the prospect of getting a decryption key that will allow them to get their systems back up and running after one of these attacks.

I'm Stephanie Pell, senior editor at LawFair, and this is the LawFair podcast February 9, 2023.

On January 26, the Department of Justice held a press conference to announce its months-long disruption campaign against the high-vrançomware group that had targeted more than 1500 victims over 80 countries around the world, including hospitals, school districts, financial firms, and critical infrastructure.

In July of 2022, the FBI penetrated Hive's computer networks, captured its decryption keys, and over the course of the ensuing months, offered the decryption keys to victims worldwide, preventing these victims from having to pay $130 million in ransom that Hive demanded.

To talk about this disruption operation, I sat down with Alex Iftimi, partner at the LawFirm Morrison Forster, and a former federal prosecutor in the National Security and Cybercrime Units in the U.S. Attorney's Office for the Eastern District of Virginia.

We talked about how the Hive Ransomware Group operated, the significant aspects of this disruption operation, and how this disruption operation fits into the broader picture of U.S. government efforts to disrupt ransomware groups and actors.

It's the LawFair podcast February 9. Alex Iftimi on the DOJ Disruption of the Hive Ransomware Group.

Alex, can you start by telling us a bit about the Hive Ransomware Group? What did they do who were their victims, and why was it important to disrupt their operations?

Thanks so much for having me. The Hive Ransomware Group has been around since the summer of 2021. They became one of the most prolific ransomware groups out there by mid 2022,

right around the time that the Conti Ransomware Group went out of favor, and the Conti Group went out of favor after they made public statements in support of the Russian invasion of Ukraine.

It led a lot of victims and a lot of the companies that support victims to refuse to make payments to that group, and it seems like a lot of the affiliates and actors who were part of that group then migrated to Hive and other ransomware groups.

In terms of the types of sectors targeted, Hive has targeted a wide array of groups, everything from the energy sector to healthcare to the financial media education sectors.

They are one of a number of ransomware groups out there that operate on a ransomware as a service model, that is there are developers who develop the ransomware suite of tools, and they essentially lease that infrastructure out to affiliates who go out to identify victims to obtain access to the networks of those victims, and who are the ones who actually deploy ransomware.

Another defining feature of this group is that they also operate on what's called a double extortion model, which is to say in addition to encrypting data on systems, they also go in and before encrypting that data, steal data from victims networks to increase the leverage that this group has.

Even if a victim could, for example, restore systems from backups, the ransomware group will use the threat of publishing the stolen data from the victims network as another means of extorting the victim.

...