Hackers 2 Operation Takedown Full Movie Download
Sibyla Tator
What made the Emotet malware strain so alarming is the malware was offered for sale to other hackers via the Dark Web. This allowed multiple criminal organizations to put the malware to use across the globe. This type of attack is one of the biggest cybercrime attacks used in the world today. Emotet ransomware grew quickly and rivaled other large ransomware variants including TrickBot and Ryuk.
The system used by Emotet involved hundreds of servers located across the globe, all having different functionalities to manage machines of the infected victims, spread the malware, serve other criminal groups, and make the network more resilient against takedown attempts.
The U.S. Department of Justice (DOJ) and the FBI recently collaborated in a multinational operation to dismantle the notorious Qakbot malware and botnet. While the operation was successful in disrupting this long-running threat, concerns have arisen as it appears that Qakbot may still pose a danger in a reduced form. This article discusses the aftermath of the takedown, provides mitigation strategies, and offers guidance on determining past infections.
During the takedown operation, law enforcement secured court orders to remove Qakbot malware from infected devices remotely. It was discovered that the malware had infected a substantial number of devices, with 700,000 machines globally, including 200,000 computers in the U.S., being compromised at the time of the takedown. However, recent reports suggest that Qakbot is still active but in a diminished state.
The absence of arrests during the takedown operation indicates that only the command-and-control (C2) servers were affected, leaving the spam delivery infrastructure untouched. Therefore, the threat actors behind Qakbot continue to operate, presenting an ongoing threat.
While the takedown of Qakbot was a significant achievement, the threat landscape remains complex. There is a possibility of Qakbot's resurgence, given its operators' adaptability and resources. Staying vigilant and implementing security measures is crucial to prevent future infections. BlackBerry's CylanceENDPOINT solution is recommended to protect against Qakbot's execution, and specific rules within CylanceOPTICS can enhance protection against threats like Qakbot.
Reports of the takedown first came Thursday morning when security researchers noted on Twitter that Hive's dark web leak site had been replaced by an apparent takedown notice from various law enforcement agencies. Shortly after, the Department of Justice (DOJ) held a press conference in which Attorney General Merrick Garland announced that the FBI Wednesday night acted on a court order to seize servers containing the criminal network's "critical information." Moreover, the department was given authorization to seize Hive's leak site.
Hive is a ransomware-as-a-service operator that first emerged in June 2021 and claimed hundreds of victims in its first months. According to the Justice Department's press release on the takedown, Hive has "targeted more than 1,500 victims in over 80 countries around the world, including hospitals, school districts, financial firms, and critical infrastructure."
The FBI is the lead agency tasked with investigating cybercrime, including defending hospitals and health systems from frequent cyberattacks. Hear the dramatic story of their recent takedown of the Hive ransomware gang, whose criminal enterprise threatened patient safety.
00;00;00;21 - 00;00;24;25
Tom Haederle
Defending hospitals and health systems from frequent cyber attacks is a battle largely fought in the shadows out of the public eye. And when the good guys score a big win, as the FBI recently did with its takedown of a criminal gang whose cyber mischief threaten caregivers and patients, some of the operational details must remain in the shadows. Nonetheless, the following is a great story, with a lesson for cybercriminals everywhere: mess with health care and you will pay.
00;01;25;27 - 00;01;50;25
John Riggi
Thanks, Tom. Great to be here again with you and all our listeners. This again is John Riggi, your national advisor for Cybersecurity and Risk. And what a special episode we have today, an exclusive interview with the FBI supervisory special agent Justin Crenshaw, who will be here to give us an inside look at the HIVE ransomware gang takedown.
00;01;51;04 - 00;02;19;08
John Riggi
Really an extraordinary opportunity. And we certainly appreciate Justin and the FBI making themselves available to speak with us about this very, very important takedown concerning this ransomware gang, which had been targeting, among others, hospitals and health systems. Just a quick word about Justin Crenshaw. Justin's been with the FBI as an FBI agent for over 19 years, serving in multiple field offices, in headquarters assignments.
00;04;08;09 - 00;04;34;12
Justin Crenshaw
He then exfiltrates or steals data and then encrypts as many computers as possible on the way out. From that point, the admin and the affiliate negotiate with victims on a dark Web site to try to get a ransom that's paid in Bitcoin. And this is what we call it's a double extortion model, where victims are expected to pay for decryption keys in order to restore their network, restore operations.
00;06;51;00 - 00;07;16;04
Justin Crenshaw
We know that there were over 1300 high victims. And at least 600 of them were in the United States. Of those 600, more than a hundred of the US victims were hospitals or other health care providers. We believe that HIVE targeted health care for a couple of reasons. First, we believe that they thought hospitals would be quick to pay in order to restore critical operations and be able to care for patients.
00;09;25;20 - 00;09;47;14
Justin Crenshaw
So we were able to provide decryption keys to that hospital and they were able to restore operations almost the same day. And because we were able to do it so quickly, they had not started negotiations with HIVE. They avoided paying a ransom. And to your point earlier, the hospital stated that our action, the quick action providing those decryption keys likely saved lives.
00;09;48;02 - 00;10;22;13
John Riggi
Extraordinary. Most people think that when the FBI becomes involved in response to a major cyberattack, that they're there simply to collect forensic evidence and conduct an investigation, make attribution. Not realizing that the FBI can actually directly assist the victim in recovery. And hopefully help from having to pay the ransom and ultimately helping save lives. So in this instance, really an extraordinary and unique investigation, which was an undercover operation.
00;10;22;29 - 00;10;56;03
John Riggi
An Attorney General Garland and FBI Director Wray described in their press conference this truly extraordinary undercover operation in which the FBI was able covertly infiltrate this group or, in their words, "hack the hackers" for several months without giving up sensitive sources and methods. What can you tell us about this operation and how were you able to secretly assist the victims of HIVE, just as you described, recover from these ransomware attacks without the bad guys, without the HIVE ransomware operators catching on?
00;10;56;26 - 00;11;23;25
Justin Crenshaw
Right. So we did gain access to HIVE servers and maintained access for almost seven months. We use that access and appropriate legal authority to obtain all of the HIVE decryption keys and also other sensitive information to help with the investigation. Information on HIVE's infrastructure, admin, affiliates, operations. How we did that was due to coordination with victims and foreign law enforcement partners.
00;11;24;12 - 00;11;55;19
John Riggi
Again, highlights the incredible value of cooperation with the victims. And again, we here at the American Hospital Association always stress that the victims should immediately contact FBI and CISA should they become a victim. We stress that you all are not regulators. You will not be contacting the HHS Office of Civil Rights. And again, we stress that there are practical reasons for them to contact FBI and CISA.
00;11;55;19 - 00;12;22;11
John Riggi
You may be able to help them restore, but also you're able to understand and identify who's behind the attack, gather the malware signatures and put those out in an unattributed national cyber alert to help warn others that may prevent other attacks. So there's lots of reasons. And clearly this this is really the textbook example that helped enable your undercover operation.
00;12;38;27 - 00;13;03;21
Justin Crenshaw
And honestly, it's longer than we expected it to last. But I'd credit two things, really. First, good operational security, good OPSEC. And then the other is a strong technical capability as far as OPSEC that started as soon as we engaged victims, there was a very deliberate and well thought out effort, I think. We didn't just give victims keys and walk away.
00;13;29;10 - 00;13;57;08
Justin Crenshaw
We'd help walk them through technical issues so they could actually use the keys to decrypt the files. And then after the files were decrypted and restored operations, we would ask that in exchange, they provide us with any new indicators of compromise. Anything else that could help further our investigation. So by working with victims in this way, I'd say not only did we ensure that we protected the operation, we also gained valuable information and helped move the investigation forward.
00;14;19;14 - 00;14;51;23
John Riggi
Yeah, that's a great point, Justin, that often people think of FBI agents as the folks in the raid jackets carrying weapons, kicking down doors. But clearly it's so much and it's just as important to have folks with those technical skills that can break down those digital doors and absolutely penetrate those servers that really make this all happen. You also pointed out the fact that again, that you had to rely on the victim's cooperation to keep this a secret.