Issue Date: 27/01/2023
The Garda National Cyber Crime Bureau (GNCCB) has actively participated in Operation Downbreaker, a EUROPOL and internationally supported operation targeting the Hive Ransomware Group.
The operation has now shut down the servers and technical infrastructure utilised by the Ransomware group.
In the past year, HIVE ransomware has been identified as a major threat to international security as it has been used to compromise and encrypt the data and computer systems of large IT and multinationals in Europe and elsewhere.
Both cohorts are cybercriminals who used HIVE to copy data and then encrypt a victim’s files. The affiliates then ask for a ransom to both decrypt the files and to not publish the stolen data on the HIVE Leak Site. When the victim paid, the ransom was split between affiliates (80%) and developers (20%).
This is what is known as the ‘ransomware-as-a-service’ (RaaS) model that in recent years has perpetrated high-level attacks often targeting companies maintaining critical infrastructures such as Government agencies, healthcare and telecommunications.
Some gained access to a victim’s networks by using single factor logins via Remote Desktop Protocol, virtual private networks, and other remote network connection protocols. In other cases, they bypassed multifactor authentication and gained access by exploiting vulnerabilities.
Since November 2022, over 1,300 companies worldwide have fallen victim to the associates of the HIVE Ransomware Group and have paid almost €100 million in ransom payments.
Among its direct involvement in Operation Downbreaker, Gardaí attached to GNCCB have participated in several operational meetings and are currently involved in the investigation of a number of HIVE Ransomware incidents that targeted Irish victims.
The work of Gardaí as part of this Operation has ensured that the Irish based victims of HIVE are supported and have been provided with decryption keys for them to regain access to their data without paying the cybercriminals.
Through An Garda Síochána’s membership of EUROPOL, it also provided analytical support exchanging available information to various criminal cases within and outside the EU, and supported the investigation through cryptocurrency, malware, decryption and forensic analysis.
The work of GNCCB as part of this operation has prevented more private companies from falling victim to HIVE ransomware. Further analysis of this data and other related cases is expected to result in additional investigative activity.
Detective Chief Superintendent at the Garda National Cyber Crime Bureau, Barry Walsh said, "This is an excellent result that has come from a lot of painstaking work carried out by Gardaí in the Cyber Crime Bureau and together with our colleagues across the world.
"It underscores the immense value of co-ordinating a collective law enforcement response to emerging criminality.
"The HIVE Ransomeware Group has caused a great deal of distress to people in Ireland, and has upset their daily lives in more ways than one. This is not just about the monetary loss suffered by victims, but the significant disruption that a cyberattack causes.
"We will further maximise on this work and stay focused on targeting the tactics and methods of cybercriminals and which affect victims here in Ireland.”
Other Law Enforcement Authorities involved:
Canada – Royal Canadian Mounted Police (RCMP) & Peel Regional Police
France: National Police (Police Nationale)
Germany: Regional Police Esslingen (Polizei BWL – Esslingen)
Lithuania: Criminal Police Bureau (Kriminalinės Policijos Biuras)
Netherlands – National Police (Politie)
Norway: National Police (Politi)
Portugal: Judicial Police (Polícia Judiciária)
Romania: Romanian Police (Poliția Română – DCCO)
Spain: Spanish Police (Policía National)
Sweden: Swedish Police (Polisen)
United Kingdom – National Crime Agency
USA – United States Security Service, Federal Bureau of Investigations