FBI detected countries from where CCSS systems would have been attacked | crhoy.com

(CRHoy.com) The extensive police operation to dismantle the cyber criminal organization that was credited with attacking the systems of the Costa Rican Social Security Fund (CCSS), it allowed the FBI and police from other countries to identify the places where the pirates would have bases of operations.

In a comprehensive statement released this Thursday by the United States Department of Justice, they confirmed that in addition to the operations carried out from the United States, the collaboration of the German Federal Criminal Police and Police Headquarters Reutlingen-CID Esslingen, as well as the National High-Tech Crime Unit of the Netherlands.

They also point out that they received support from authorities in other countries such as the Peel Regional Police of Canada, the Royal Mounted Police of Canada, the French Central Directorate of the Judicial Police, the Criminal Police Office of Lithuania and others from the United States.

The North American authorities assure that Hive, an intercepted criminal group, would have broken into the systems of more than 1,500 victims from 80 countriesincluding hospitals, school districts, financial companies, and critical infrastructure.

“Since late July 2022, the FBI penetrated Hive’s computer networks, captured their decryption keys and offered them to victims around the world, preventing victims from having to pay the $130 million ransom demand. Since the Hive network was infiltrated in July 2022, the FBI has provided more than 300 decryption keys to Hive victims who were under attack. In addition, the FBI distributed more than 1,000 additional decryption keys to previous Hive victims,” the Department of Justice reported.

In a statement they revealed that since June 2021, the Hive ransomware group obtained more than $100 million collected from its 1,500 victims in ransoms.

“Hive ransomware attacks have caused significant disruptions to the daily operations of victims around the world and affected responses to the COVID-19 pandemic. In one case, a hospital attacked by Hive ransomware had to resort to analogue methods to treat existing patients and was unable to accept new patients immediately after the attack,” they reported.

double extortion

In the letter they detailed that the criminals used a double extortion attack model and always looked for the most sensitive data in order to pressure the victims to pay.

“Before encrypting the victim’s system, the affiliate would leak or steal sensitive data. The affiliate then sought a ransom for both the decryption key needed to crack the victim’s system and a promise not to publish the stolen data. Hive actors frequently targeted the most sensitive data on a victim’s system to increase pressure to pay. After a victim pays, the affiliates and administrators split the ransom 80/20. Hive published the data of non-paying victims on the Hive leak site”

According to the US Cybersecurity and Infrastructure Security Agency (CISA), Hive affiliates gained initial access to victims’ networks through various methods, including: single-factor logins via the Remote Desktop Protocol (RDP), Virtual Private Networks (VPN), and other remote network connection protocols; exploit FortiToken vulnerabilities; and send phishing emails with malicious attachments.

FBI detected countries from where CCSS systems would have been attacked | crhoy.com