Hacking the Hackers: The FBI’s Takedown of the Hive Ransomware Gang

00;00;00;21 - 00;00;24;25
Tom Haederle
Defending hospitals and health systems from frequent cyber attacks is a battle largely fought in the shadows out of the public eye. And when the good guys score a big win, as the FBI recently did with its takedown of a criminal gang whose cyber mischief threaten caregivers and patients, some of the operational details must remain in the shadows. Nonetheless, the following is a great story, with a lesson for cybercriminals everywhere: mess with health care and you will pay.

00;00;25;04 - 00;01;03;18
Tom Haederle
Welcome to Advancing Health, a podcast from the American Hospital Association. I'm Tom Haederle with AHA Communications, The HIVE Ransomware gang operated by what law enforcement calls a double extortion model. That is, it had two very effective ways to extort money from hospitals and health systems, and if one didn't work, it would just switch to the other.

00;01;03;29 - 00;01;25;00
Tom Haederle
How the FBI put a stop to this is the subject of today's podcast. The story is told by an FBI supervisor in charge of the HIVE investigation, in conversation with John Riggi AHA's national advisor for Cybersecurity and Risk. John knows the FBI in these types of cases well, having spent nearly 30 years at the FBI. John, over to you.

00;01;25;27 - 00;01;50;25
John Riggi
Thanks, Tom. Great to be here again with you and all our listeners. This again is John Riggi, your national advisor for Cybersecurity and Risk. And what a special episode we have today, an exclusive interview with the FBI supervisory special agent Justin Crenshaw, who will be here to give us an inside look at the HIVE ransomware gang takedown.

00;01;51;04 - 00;02;19;08
John Riggi
Really an extraordinary opportunity. And we certainly appreciate Justin and the FBI making themselves available to speak with us about this very, very important takedown concerning this ransomware gang, which had been targeting, among others, hospitals and health systems. Just a quick word about Justin Crenshaw. Justin's been with the FBI as an FBI agent for over 19 years, serving in multiple field offices, in headquarters assignments.

00;02;19;19 - 00;02;45;23
John Riggi
He currently supervises the cyber squad at the FBI Orlando resident Agency out of the Tampa field office. Justin's squad has been investigating the HIVE ransomware group for about a year and a half. So, Justin, thanks so much for being here with us today to talk about this very, very important case. And we certainly understand that this is an ongoing criminal investigation.

00;02;46;15 - 00;03;04;24
John Riggi
So we totally understand that you'll be limited in what you can say. Quite frankly, I was actually surprised that you were able to be here with us today during this. So, again, I think that just demonstrates the commitment of the FBI and the Department of Justice to work with the health care sector on these very important issues.

00;03;05;07 - 00;03;15;27
John Riggi
Justin, can you briefly describe the HIVE ransomware gang ... where you believe they're based? And in general, what is their method of operation?

00;03;16;17 - 00;03;31;28
Justin Crenshaw
Hi, John. Sure. First, I like to start by saying thank you for having me. Giving me an opportunity to represent my squad and others in the FBI that have put a lot of work into this case. I do appreciate the opportunity to share the information with your audience. To tell you a little bit about HIVE,

00;03;31;28 - 00;04;07;28
Justin Crenshaw
it's a ransomware as a service. That means that Hive leases software and services to cybercriminals to use. They have an admin and affiliates. The administrator is responsible for writing and encryption software. He sets up infrastructure and basically writes the rules, and then the affiliates exploit vulnerabilities in company networks and bring victims to that HIVE admin. The affiliate conducts reconnaissance in a victim's network and tries to identify as many computers as much of the network as possible.

00;04;08;09 - 00;04;34;12
Justin Crenshaw
He then exfiltrates or steals data and then encrypts as many computers as possible on the way out. From that point, the admin and the affiliate negotiate with victims on a dark Web site to try to get a ransom that's paid in Bitcoin. And this is what we call it's a double extortion model, where victims are expected to pay for decryption keys in order to restore their network, restore operations.

00;04;34;29 - 00;04;55;00
Justin Crenshaw
But even victims who can restore from backups and don't need decryption keys, the leverage over them is that if they don't pay, their stolen data is disclosed on HIVE's leak site. And you asked, where they're based, where they are? Well, with threat actors like HIVE and with other ransom variants, the threat actors could be anywhere in the world.

00;04;55;15 - 00;05;04;05
Justin Crenshaw
But I'll say we did decide to use a splash page that's in both English and Russian. We wanted to ensure that the high threat actors understood the message.

00;05;04;26 - 00;05;35;17
John Riggi
Thanks for that, Justin. It is interesting that you did post the notice in both multiple languages, including Russian. We know from past ransomware gang activity targeting U.S. critical infrastructure, it seems that the majority of these gangs, these foreign-based ransomware gangs, were Russian speaking and perhaps being sheltered by the Russian government, either explicitly or tacitly. So really amazing that you were able to get in there

00;05;35;17 - 00;06;08;24
John Riggi
and this ransomware, as a service, somewhat of a franchise model, which has made this much more lucrative for the bad guys. But they think this is about finances and data, not realizing that when they attack a hospital, they're disrupting patient care and urgent patient care, causing the diversion of ambulances, cancellation of surgeries, cancellation of radiation oncology, all types of urgent patient care services being disrupted in risking patient safety.

00;06;09;10 - 00;06;23;24
John Riggi
And I just don't think they understand that or want to want to focus on that. Justin, can you tell us a little bit more, tell us what type of victims were they targeting? And were U.S. hospitals in health care being targeted specifically as well?

00;06;24;11 - 00;06;50;19
Justin Crenshaw
Well, like other ransomware actors, high threat actors were definitely financially motivated. And like other actors, they targeted private companies and public organizations of all sizes. To that end, they used social engineering tactics like spear phishing and also technical means. And sometimes simple means, like just using compromised passwords for single factor log in accounts. They were targeting health care.

00;06;51;00 - 00;07;16;04
Justin Crenshaw
We know that there were over 1300 high victims. And at least 600 of them were in the United States. Of those 600, more than a hundred of the US victims were hospitals or other health care providers. We believe that HIVE targeted health care for a couple of reasons. First, we believe that they thought hospitals would be quick to pay in order to restore critical operations and be able to care for patients.

00;07;17;00 - 00;07;44;10
Justin Crenshaw
Second, they thought hospitals would be quick to pay, too, in order to avoid disclosing sensitive patient information. And unfortunately, we also saw that some hospitals were more vulnerable to the attack because they had older unpatched hardware or software. They weren't using things like multi-factor authentication. And so with that, you know, I'd like to reiterate that the FBI encourages organizations to practice good cyber hygiene to mitigate attacks like this.

00;07;44;22 - 00;08;11;08
Justin Crenshaw
Things like multi-factor authentication, good password management, keeping anti-virus software updated. We recommend that you create an incident response plan and exercise it. Train employees with things like phishing tests. And we have the government has a lot of practical information that individuals and businesses can take advantage of, and we have that on ic3.gov and stopransomeware.gov.
00;08;11;24 - 00;08;44;11

John Riggi
And thank you Justin. It's amazing again they even though that they are financially motivated, they certainly understand that when they attack a hospital, yes, there's that urgency to pay because they know that people's lives are in danger and at risk. When you divert an ambulance, cause an ambulance to be diverted 30 minutes, 40 minutes or maybe only 15 minutes away in that ambulance has a stroke, trauma or heart attack patient on board Those minutes could literally mean the difference between life and death.

00;08;44;24 - 00;08;55;17
John Riggi
That's why we were very happy to see the U.S. government and the FBI in particular classify ransomware attacks on hospitals as what they are: threat to life crimes.

00;08;56;01 - 00;09;24;26
Justin Crenshaw
Agreed. And I can actually I can offer you, you know, an example of I can there were several hospitals that we work with directly, but know one jumps out. This was last summer. We alerted one of our legal attachés in Europe. There was a new victim, a hospital in a particular country. And within a day the national police confirmed the HIVE attack and reported that the hospital's infrastructure was almost completely down.

00;09;25;20 - 00;09;47;14
Justin Crenshaw
So we were able to provide decryption keys to that hospital and they were able to restore operations almost the same day. And because we were able to do it so quickly, they had not started negotiations with HIVE. They avoided paying a ransom. And to your point earlier, the hospital stated that our action, the quick action providing those decryption keys likely saved lives.

00;09;48;02 - 00;10;22;13
John Riggi
Extraordinary. Most people think that when the FBI becomes involved in response to a major cyberattack, that they're there simply to collect forensic evidence and conduct an investigation, make attribution. Not realizing that the FBI can actually directly assist the victim in recovery. And hopefully help from having to pay the ransom and ultimately helping save lives. So in this instance, really an extraordinary and unique investigation, which was an undercover operation.

00;10;22;29 - 00;10;56;03
John Riggi
An Attorney General Garland and FBI Director Wray described in their press conference this truly extraordinary undercover operation in which the FBI was able covertly infiltrate this group or, in their words, "hack the hackers" for several months without giving up sensitive sources and methods. What can you tell us about this operation and how were you able to secretly assist the victims of HIVE, just as you described, recover from these ransomware attacks without the bad guys, without the HIVE ransomware operators catching on?

00;10;56;26 - 00;11;23;25
Justin Crenshaw
Right. So we did gain access to HIVE servers and maintained access for almost seven months. We use that access and appropriate legal authority to obtain all of the HIVE decryption keys and also other sensitive information to help with the investigation. Information on HIVE's infrastructure, admin, affiliates, operations. How we did that was due to coordination with victims and foreign law enforcement partners.

00;11;24;12 - 00;11;55;19
John Riggi
Again, highlights the incredible value of cooperation with the victims. And again, we here at the American Hospital Association always stress that the victims should immediately contact FBI and CISA should they become a victim. We stress that you all are not regulators. You will not be contacting the HHS Office of Civil Rights. And again, we stress that there are practical reasons for them to contact FBI and CISA.

00;11;55;19 - 00;12;22;11
John Riggi
You may be able to help them restore, but also you're able to understand and identify who's behind the attack, gather the malware signatures and put those out in an unattributed national cyber alert to help warn others that may prevent other attacks. So there's lots of reasons. And clearly this this is really the textbook example that helped enable your undercover operation.

00;12;22;29 - 00;12;38;27
John Riggi
So the let me ask you this. So what is the theory now on why the HIVE ransomware operators did not discover that they were infiltrated and compromised by the government for so long? Seven months is an extraordinary amount of time to be infiltrated.

00;12;38;27 - 00;13;03;21
Justin Crenshaw
And honestly, it's longer than we expected it to last. But I'd credit two things, really. First, good operational security, good OPSEC. And then the other is a strong technical capability as far as OPSEC that started as soon as we engaged victims, there was a very deliberate and well thought out effort, I think. We didn't just give victims keys and walk away.

00;13;04;07 - 00;13;29;10
Justin Crenshaw
We provided insight, indicators of compromise, IOCs tactics, techniques and procedures, tips, and then we offered decryption keys. And before we provided the keys, we explained it was important that the victims protect the fact that they have decryption keys and that they got them from the FBI. And that was so that we could continue helping victims like them. We'd also help victims use the keys.

00;13;29;10 - 00;13;57;08
Justin Crenshaw
We'd help walk them through technical issues so they could actually use the keys to decrypt the files. And then after the files were decrypted and restored operations, we would ask that in exchange, they provide us with any new indicators of compromise. Anything else that could help further our investigation. So by working with victims in this way, I'd say not only did we ensure that we protected the operation, we also gained valuable information and helped move the investigation forward.

00;13;57;24 - 00;14;19;01
Justin Crenshaw
And then the other point I made is technical capability. I really want to credit some very talented computer scientists and other cyber experts that the FBI has. And without going into sensitive details, those are the folks that really helped us to establish and maintain access to HIVE's server in a way that HIVE could not detect.

00;14;19;14 - 00;14;51;23
John Riggi
Yeah, that's a great point, Justin, that often people think of FBI agents as the folks in the raid jackets carrying weapons, kicking down doors. But clearly it's so much and it's just as important to have folks with those technical skills that can break down those digital doors and absolutely penetrate those servers that really make this all happen. You also pointed out the fact that again, that you had to rely on the victim's cooperation to keep this a secret.

00;14;51;29 - 00;15;13;12
John Riggi
Amazing that hundreds of victims truly in a demonstration of a whole of nation approach to this problem. It's in the government's interest for victims to share and cooperate, protects them and helps protect the nation. But, you know, some of that reluctance, again, comes with the concern. They say, well, we know the cyber threat information is protected when we share with the FBI.

00;15;13;20 - 00;15;29;24
John Riggi
But would the FBI or does the FBI share information with regulators such as the HHS Office of Civil Rights? Justin, can you tell us, how does the FBI protect that victim information and do you share that information with regulators?

00;15;30;13 - 00;15;55;18
Justin Crenshaw
Yeah, absolutely. So we do ask victims to provide information that can help the investigation. We ask for things like log information that can help us understand how the threat actor gained access, how he moved through the victim's network, what was what was accelerated. But we're not asking for sensitive information like customer or patient data. First, that doesn't help our investigation.

00;15;55;26 - 00;16;23;17
Justin Crenshaw
And second, we are not a regulatory agency. So we focus on disrupting criminal actors, not on collecting information. You mentioned the Cyber Security Information Sharing Act of 2015. I think that's a great mechanism for organizations to be able to proactively share cyber threat information. And then when they do, that information is afforded protections. It's exempt from federal/state disclosure laws.

00;16;24;00 - 00;16;47;20
Justin Crenshaw
And it's not well, it's not a substitute for mandatory reporting. It does allow organizations to proactively share cyber threats with a case team like ours. And it's really critical that they feel comfortable to do that so that we can help them with information, possibly decryption keys or other insight into the threat. And it can help drive our investigation forward.

00;16;48;04 - 00;17;13;23
Justin Crenshaw
One of the challenges that we noted with HIVE was significant underreporting to law enforcement. We determined that only about 20% of HIVE's victims in the United States reported the attack. And it's not a new phenomenon, underreporting. We continue to do all we can to share the decryption keys with them, provide assistance. But it's it presents a large challenge.

00;17;13;23 - 00;17;31;26
Justin Crenshaw
And I just want to reiterate that it's that initial reporting of the victim reporting cyber intrusion to the FBI that really enables us to provide support, help get the systems back up and running. It also helps us with the investigation and to potentially prevent future victims from being targeted.

00;17;32;14 - 00;17;57;11
John Riggi
Very, very important point there that especially that about preventing future victims from being targeted. So, again, there is in certain circumstances in health care you may have a legal obligation to report a ransomware attack, especially it involves the compromise of protected health information, such as in those double extortion type cases where they're exfiltrating data while they're encrypting networks and systems.

00;17;57;23 - 00;18;41;04
John Riggi
But again, beyond the legal requirement to report, I would suggest and I would proffer my personal opinion that there is a moral obligation to report, again in total confidence with immunity to the FBI and CISA so they can help warn the nation, warn other hospitals and health systems. So Justin, I think we have clearly established why it's so important to get a hold of the federal government to the FBI and CISA. And the reason why I keep mentioning CISA folks: One, they worked very closely with the FBI, but probably towards the end of next year, it will become a requirement to report cyberattacks, including ransomware attacks, to CISA who will then communicate with

00;18;41;04 - 00;19;03;01
John Riggi
the FBI. I always say, though, contact both to ensure that both have the information. Following that comment, Justin, could you clarify the role of the FBI in response to a ransomware attack on a hospital, especially in comparison to CISA in HHS? And do all investigative agencies share information?

00;19;03;22 - 00;19;44;12
Justin Crenshaw
So our role of the FBI is we maintain active investigations into nearly all major ransomware variants, and we become really subject matter experts. And we work closely with other government partners such as CISA, Health and Human Services and within other agencies in the intelligence community to address those threats. CISA provides victims with guidance on mitigation, coordination with other with FBI and other agencies, and then that information sharing and cooperation are really key to this, to the success that we have after an attack in our investigation and holding those threat actors accountable.

00;19;45;03 - 00;20;13;11
John Riggi
Justin, one other question that I wanted to ask you. So in terms of the takedown, we see the press conferences, the big splashy press conference with the attorney general and the FBI director, and it's great news, but you know what other steps were taken to ensure that this organization was actually disrupted for the long haul. Were you able to take down their technical and financial infrastructure as well?

00;20;14;07 - 00;20;41;27
Justin Crenshaw
That's an excellent question. We we did take down their technical infrastructure. The public facing Tor sites, back-end servers. We took away the ability to bring new victims and for the admin and the affiliates to work together to extort those victims to to steal data and disclose it on the HIVE leak site. I'd say we also destroyed HIVE's reputation as a safe and anonymous platform for cybercriminals to use.

00;20;42;18 - 00;21;11;13
Justin Crenshaw
But while we dismantled the infrastructure, we recognize that we did not stop high threat actors from being cyber criminals. They are still able to potentially develop or use other ransomware variants. And we recognize that the FBI and our partners have work to do to hold those threat actors accountable. We are not resting. Identification and attribution to those threat actors is a significant part of our work.

00;21;11;28 - 00;21;15;19
Justin Crenshaw
And just know that the investigation and our work with partners is ongoing.

00;21;16;13 - 00;21;43;11
John Riggi
Thank you. Justin That's a good point to remind everyone. Although this was a significant battle victory, the long fight continues as these individuals are still out there and still targeting U.S. critical infrastructure and U.S. health care in particular. Justin, is there someplace where we could go to learn more about this case and other cyberthreat intelligence from the FBI and other agencies?

00;21;44;07 - 00;22;14;09
Justin Crenshaw
For more information about ransomware and best practices to secure your network. I recommend that you visit stopransomware, dot gov or FBI dot gov and navigate to cybercrime. If you are the victim of a ransomware attack or any cyber attack, I recommend you report it on www.ic3.gov. And of course, if you are under attack, especially if patient care is compromised, I recommend you reach out to your local FBI field office or to FBI Cyber Watch.

00;22;14;12 - 00;22;19;09
Justin Crenshaw
And the cyber watch number is 855 292 3937.

00;22;20;11 - 00;22;44;14
John Riggi
Justin, thanks again for being here with us today, really for this inside look at this extraordinary case. Thank you. Thank all the men and women on your squad in the FBI for everything you do every day to protect the nation. And thanks to all our listeners and especially our frontline health care heroes, for all that you do to care for our patients and be there for our communities.

00;22;44;29 - 00;23;04;20
John Riggi
This has been John Riggi, your national advisor for Cyber Security and Risk. Stay safe, everyone.