Jan 30, 2023

Attorney General Merrick Garland Makes Ransomware Announcement Transcript

Attorney General Merrick Garland Makes Ransomware Announcement Transcript
RevBlogTranscriptsMerrick GarlandAttorney General Merrick Garland Makes Ransomware Announcement Transcript

U.S. Attorney General Merrick Garland announces an international ransomware enforcement action. Read the transcript here.

Transcribe Your Own Content

Try Rev and save time transcribing, captioning, and subtitling.

Merrick Garland (00:00):

Hive extorted over 100 million in ransom payments from its victims. Last summer, FBI agents from the Tampa division with the support of prosecutors in the criminal divisions, computer crime and intellectual property section, and the middle district of Florida, infiltrated the Hive network and began disrupting Hive’s attempts to extort victims.

For example, the FBI disrupted a hive ransomware attack against the Texas school district’s computer systems. The bureau provided decryption keys to the school district, saving it from making a $5 million ransom payment. That same month, the FBI disrupted a Hive ransomware attack on a Louisiana hospital, saving the victim from a $3 million ransom payment. The FBI was also able to disrupt an attack on a food services company. The bureau provided the company with decryption keys and saved the victim from a $10 million ransom payment.

Since July of last year, we provided assistance to over 300 victims around the world, helping to prevent approximately $130 million in ransom payments. Our continued investigative efforts led us to two backend computer servers located in Los Angeles, that were used by Hive to store the network’s critical information. Last night, pursuant to court order, we seized those servers. We also received court authorization to wrest control of Hive’s, dark net sites, and render its services unavailable. This morning, if a Hive affiliate tries to access their dark net site, this is what they will see.

Our investigation into the criminal conduct of Hive members remains ongoing. I want to thank all of the agents, prosecutors, and staff across the department for their work on this matter. I also want to thank the United States Secret Service, as well as all of our international partners, including Germany and the Netherlands, as well as our law enforcement partners at Europol.

Cyber crime is a constantly evolving threat, but as I have said before, the Justice Department will spare no resource to identify and bring to justice anyone, anywhere who targets the United States with a ransomware attack. We will continue to work both to prevent these attacks and to provide support to victims who have been targeted. And together with our international partners, we will continue to disrupt the criminal networks that deploy these attacks. Now I’m now going to turn over the podium to Deputy Attorney General Monaco.

Deputy Attorney General Monaco (03:00):

Good morning and thank you, Mr. Attorney General. Over the last two years, the attorney general and I have made clear that the department will use all of the tools at its disposal and work with our partners to attack the ransomware threat from every angle. The department’s agents, prosecutors, and trial attorneys have partnered with law enforcement allies across the globe to track ransom payments through the blockchain and seize them back for victims, to dismantle ransomware networks, to warn targets of exigent ransomware threats, and to prevent attacks, and to disrupt the criminal ecosystem that enables the targeting of innocent victims.

We’ve made it clear that we will strike back against cyber crime using any means possible and today’s action reflects that strategy. We have also pledged to place victims at the center of our strategy and our mission, and to prioritize prevention.

As you will hear in more detail from the FBI director, for the past several months, the FBI and our prosecutors have been inside the network of one of the world’s most prolific ransomware variants, Hive the FBI has labeled Hive a top five ransomware threat, both for its technical sophistication but also for the harm that it can inflict on its victims. But for all of the group’s technical prowess, it could not outfox our prosecutors, our agents, and our international law enforcement coalition.

Unbeknownst to Hive, in a 21st century cyber stakeout, our investigative team lawfully infiltrated Hive’s network and hid there for months, repeatedly swiping decryption keys and passing them on to victims to free them from ransomware. For months, we helped victims defeat their attackers and deprived the Hive network of extortion profits. Simply put, using lawful means, we hacked the hackers. We turned the tables on Hive and we busted their business model, saving potential victims approximately $130 million in ransomware payments.

Successful actions like the one we announced today, require the creative use of civil and criminal authorities and they require partnerships. Among law enforcement, to be sure, but also with victims. Our actions in this investigation should speak clearly to those victims. It pays to come forward and to work with us.

We are all in this together. We need your help to stop cyber criminals, to prevent future victims, and in exchange, we pledge our tireless efforts to help you protect your systems and to prevent or recover losses.

When a victim steps forward, it can make all the difference in recovering stolen funds or obtaining decrypt or keys. So, whether you own a small business or run a Fortune 500 company, whether you oversee a school district or manage a hospital, we can work with you to counter ransomware, to mitigate harm, to prevent loss, and to strike back at the bad guys.

Although today’s announcement marks an important success in the international fight against ransomware, we will not rest when it comes to Hive and its affiliates and other ransomware actors. If you target victims here in the United States, the Department of Justice will target you. And if you’re a victim, know that the Department of Justice and the FBI are on the job and we’ll be fighting for you and alongside you throughout your moment of crisis. I’d now like to turn the podium over to Director Wray.

Chris Wray (07:35):

Well, I’m pleased to be here today to represent the FBI to speak about our year and a half long disruption campaign against the Hive ransomware group. Hive hurt thousands of victims across the country and around the world until the FBI and our partners disrupted them, helping their victims decrypt their networks without Hive catching on, and then today, dismantling Hive’s front and backend infrastructure in the US and abroad.

This operation was led by our Tampa field office, assisted by our cyber division team at FBI headquarters, and other field office personnel around the country, but also by FBI personnel stationed around the world who led the collaboration with our foreign law enforcement partners, often shoulder to shoulder, scrutinizing the same data that was essential to today’s success. Especially the fine work of the German Reutlingen Police Headquarters, the German Federal Criminal Police, the Netherlands National High-Tech Crime Unit and Europol.

This coordinated disruption of Hive’s networks illustrates the power of collaboration between the FBI and our international partners. The FBI’s strategy to combat ransomware leverages both our law enforcement and intelligence authorities to go after the whole cyber crime ecosystem, the actors, the finances, their communications, their malware, and their supporting infrastructure. And since 2021, that is exactly how we’ve hit Hive ransomware.

Last July, FBI Tampa gained clandestine persistent access to Hive’s control panel and since then, for the past seven months, we’ve been able to exploit that access to help victims while keeping Hive in the dark, using that access to identify Hive’s victims and to offer over 1,300 victims around the world keys to decrypt their infected networks, preventing at least $130 million in ransom payments and cutting off the gas that’s fueling Hive’s fire. Our access to hives infrastructure was no accident or coincidence. Across our cyber program, we combine our technical expertise, our experience handling human sources, and our other investigative trade craft, to seek out technical indicators that victims can use to protect themselves.

And here, that focus on obtaining useful technical indicators led us to Hive’s decryption keys, which we turned around and provided to those in need, like when our investigative team identified the initial stages of an attack against the university, proactively notified the school and gave it the tactical information that it needed to kick Hive off of its network before ransomware was deployed. Or in another instance, when an FBI case agent and computer scientist rushed to provide hands-on support to a local specialty clinic and helped the doctor who also managed that clinic’s IT security, identify his office’s vulnerabilities and deploy his decryption key because no victim is too small. We’ve also shared keys with many victims overseas through our foreign-based legal attache offices, like when we gave a foreign hospital a decrypt or they used, to get their systems back up before negotiations even began, possibly saving lives.

Now, as we move to the next phase of the investigation, we’ve worked with our European partners to seize the infrastructure used by these criminal actors, crippling Hive’s ability to sting again. I’m also here today to thank those victims and private sector partners who worked with us and who helped make this operation possible by protecting its sensitivities and to demonstrate that we can and we will act on the information that victims share with us.

So today’s lesson for businesses, large and small, for hospitals and police departments, and really all the other many victims of ransomware is this, reach out to your local FBI field office today, introduce yourselves so that you know who to call if you become the victim of a cyber attack. We are ready to help you build a crisis response plan so that when an intruder does come knocking, you’ll be prepared.

And like the Hive victims here, when you talk to us in advance, as so many others have, you will know how we operate, quickly and quietly giving you the assistance, the intelligence, and the technical information that you want and you need. Unfortunately, during these past seven months, we found that only about 20% of Hive’s victims reported potential issues to law enforcement. Here, fortunately, we were still able to identify and help many victims who didn’t report, but that is not always the case. When victims report attacks to us, we can help them and others too.

Today’s announcement is only the beginning. We’re going to continue gathering evidence, building out our map of Hive developers [inaudible 00:13:01] knowledge [inaudible 00:13:02] arrests, seizures and other operations, whether by the FBI or other partners and abroad. Now, while this is yes, a fight to protect our country, our citizens and our national security, make no mistake, the fight for cybersecurity spans the globe, but the FBI’s presence and partnerships do as well. So, a reminder to cyber criminals, no matter where you are and no matter how much you contort and try to twist and turn to cover your tracks, your infrastructure, your criminal associates, your money and your liberty are at risk and there will be consequences. Thank you.

Speaker 4 (13:45):

All right, we’ll take a couple questions. Sarah?

Sarah (13:48):

Thanks for doing this.

Merrick Garland (13:49):


Sarah (13:50):

I have two questions, two different topics. On the topic of this press conference, can you talk a little bit about how you infiltrated Hive, how you stayed under the radar for so long, just a little bit more about how big this organization was [inaudible 00:14:07] people round the globe and what are the chances of it [inaudible 00:14:12]. And then on my non-Hive question, I wanted to know, in light of the revelations of former president, a current president and a former vice president having classified documents, is the Justice Department urging other former White House officials or high ranking intelligence officials to go back protectively, to review their own files just out of precaution to see if they may accidentally have retained any material?

Merrick Garland (14:42):

So, I’m not going to be able to talk about the latter question. On the former question, I’ll start and then I’ll turn it over to the director.

So, I think as you can hear from the various statements that we’ve made, this really has proceeded in three steps. We begin with cooperation from private sector victims, which is essential for us to succeed. Then we use court authorized access to electronic systems, search warrants, court orders to get into the system. This is not exactly hiding in plain sight, this is just hiding. And we hide and we watch as they proceed with their attacks, and we discover the keys and we deliver the keys to the victims so that they can encrypt their systems and not have to pay the ransomware.

And then finally, and this is what happened last night, we take down the infrastructure. We take down the servers that power Hive’s ability to go ahead and we can only do that once we locate where the servers are. And that’s what we were able to do just very, very recently and resolve the matter last night. I’m going to turn it over to Chris.

Chris Wray (15:51):

So, I don’t think I can give you numbers on the size, but I would say a couple things. Obviously, you can look at the sheer number of victims around the world and around the country. The diversity of victims, both big businesses and small, the number of foreign partners involved. The thing to understand about ransomware variants and networks like Hive, is you’ve got the developers who create the malware and the administrators, which sounds benign, but is actually, I think almost like the hub of the variant. And then you’ve got all the affiliates. And part of what makes these things challenging is, and Hive is a good example of it, is what we call ransomware as a service, or cyber crime as a service where essentially, the sophistication that those first groups have, essentially they’re marketing their cyber expertise to a whole range of less sophisticated but now suddenly dangerous cyber criminals. And that’s why this is so significant.

As far as arrests, I think anybody involved with Hive should be concerned because this investigation is very much still ongoing and we are engaged in what we call joint sequenced operations. The attorney general described it well, but that includes everything from going after their infrastructure, going after their crypto, going after the people who work with them, here, getting the keys and making those available. But it also includes hunting people down with our partners around the world. And sometimes those people may face a US criminal justice system, but sometimes they may face charges with all of our many partners who are increasingly lashed up with us.

Speaker 4 (17:33):


Chris (17:35):

Thank you for doing this. A question on Hive and then an off-topic question for you, Mr. Attorney General. On Hive, what is the connection to the Russian government at this point with regard to Hive? Do you believe that the Russian government is aiding or sheltering people behind Hive? And I noticed that there weren’t any arrests being announced today. Do you anticipate that you will be announcing arrests with regard to that? Then I have the off-topic question.

Merrick Garland (18:03):

Yeah, so I think unfortunately on that topic, we’re in the middle of an ongoing investigation, so I don’t think we’re going to be able to discuss any of the particulars of the question that you asked. I’m a little afraid that’s going to be the answer to your second question as well. But go ahead.

Chris (18:18):

Mr. Attorney General, I just wanted to ask you with regard to the Trump and Biden special counsels, are you considering an effort to coordinate the work of these two special counsels, such as maybe their timeline or their final reports, so the public can have somewhat of an apples to apples comparison at the end of this? Or do you view that as interference in the special counsel’s work?

Merrick Garland (18:44):

Well, I don’t want to talk about the particulars of investigations, and particularly not a special counsel investigation. Say, as a general matter, the people we choose for special counsel are experienced prosecutors with experience in the Justice Department. They know how the Justice Department works, they know what the department’s practices are, and I’m fully confident that they will resolve these matters one way or the other in the highest traditions of the department.

Speaker 4 (19:12):

All right, Kent?

Kent (19:14):

For Director Wray, could you talk a little bit about how unusual this sort of operation is? Has the FBI ever before penetrated a ransomware network to this extent, where it’s able to provide the keys? And then a second off-topic. As somebody who deals with classified information every day, without asking you to comment on any pending matter, are you concerned that the system for accounting for classified information in the Executive Branch may be broken?

Chris Wray (19:41):

So, on the first question, we have started to have more and more situations where we are able to, through the ingenuity and tenacity of our personnel, get access to keys. I’m not sure we’ve had one that’s been quite the scale in terms of the sheer number of keys we’ve been able to get access to and the sheer number of victims we’ve been able to help over this period of time. We did have the Kaseya case not that long ago, where there were keys that we were able to get access to.

The other part of what happened here today, we’ve also started to do more often, which is this dismantling of the cyber criminals’ infrastructure. And sometimes that involves taking down dark neck marketplaces. Other times, it involves essentially removing malware from systems. But more and more, I think you can expect to see from the FBI and our partners, situations where success, where impact, is achieved by more than just arrests. Where we’re doing things like getting keys to victims, taking down infrastructure, seizing cryptocurrency, being much more creative and multidisciplinary in how we attack the problem because I think that’s what’s called for, and it’s a direct outgrowth of the new … no longer new, but cyber strategy that we rolled out a few years ago.

On the second question, obviously I can’t comment on any specific investigation, but we have had for quite a number of years, any number of mishandling investigations. That is unfortunately a regular part of our counterintelligence division’s and counterintelligence program’s work. And people need to be conscious of the rules regarding classified information and appropriate handling. I mean, those rules are there for a reason.

Speaker 4 (21:27):

Thank you all.

Merrick Garland (21:27):

Thank you.

Transcribe Your Own Content

Try Rev and save time transcribing, captioning, and subtitling.