{"id":1493,"date":"2023-07-21T19:07:27","date_gmt":"2023-07-21T19:07:27","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=75737"},"modified":"2023-07-21T19:07:27","modified_gmt":"2023-07-21T19:07:27","slug":"the-fbis-cynthia-kaiser-on-how-the-bureau-fights-ransomware","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2023\/07\/21\/the-fbis-cynthia-kaiser-on-how-the-bureau-fights-ransomware\/","title":{"rendered":"The FBI\u2019s Cynthia Kaiser on how the bureau fights ransomware"},"content":{"rendered":"<p><head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"> <meta name=\"robots\" content=\"index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1\"> <!-- This site is optimized with the Yoast SEO Premium plugin v20.5 (Yoast SEO v20.5) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ --> <title>The FBI&#8217;s Cynthia Kaiser on how the bureau fights ransomware | CyberScoop<\/title> <meta name=\"description\" content=\"The deputy assistant director with the FBI Cyber Division says the bureau is making real strides against cybercrime but still needs the public's assistance.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/cynthia-kaiser-fbi-ransomware-hive\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"The FBI's Cynthia Kaiser on how the bureau fights ransomware\"> <meta property=\"og:description\" content=\"The deputy assistant director with the FBI Cyber Division says the bureau is making real strides against cybercrime but still needs the public's assistance.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/cynthia-kaiser-fbi-ransomware-hive\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2023-07-21T19:07:27+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/07\/the-fbis-cynthia-kaiser-on-how-the-bureau-fights-ransomware-1.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1280\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Michael B. Farrell\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@mikebfarrell\"> <!-- \/ Yoast SEO Premium plugin. --> <link rel=\"dns-prefetch\" href=\"\/\/cdn.parsely.com\">\n<link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-0\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1689625837g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-4\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1686856099g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1689862762g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=008d053dcbaaeb47b822\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/75737\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<link rel=\"wlwmanifest\" type=\"application\/wlwmanifest+xml\" href=\"https:\/\/cyberscoop.com\/wp-includes\/wlwmanifest.xml\">\n<meta name=\"generator\" content=\"WordPress 6.2.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=75737\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcynthia-kaiser-fbi-ransomware-hive%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcynthia-kaiser-fbi-ransomware-hive%2F&amp;format=xml\"> <!-- Google Tag Manager --> <!-- End Google Tag Manager --> <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-75737 single-format-standard\" id=\"readabilityBody\"> <svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-dark-grayscale\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0 0.49803921568627\" \/><feFuncG type=\"table\" tableValues=\"0 0.49803921568627\" \/><feFuncB type=\"table\" tableValues=\"0 0.49803921568627\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg><svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-grayscale\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0 1\" \/><feFuncG type=\"table\" tableValues=\"0 1\" \/><feFuncB type=\"table\" tableValues=\"0 1\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg><svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-purple-yellow\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0.54901960784314 0.98823529411765\" \/><feFuncG type=\"table\" tableValues=\"0 1\" \/><feFuncB type=\"table\" tableValues=\"0.71764705882353 0.25490196078431\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg><svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-blue-red\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0 1\" \/><feFuncG type=\"table\" tableValues=\"0 0.27843137254902\" \/><feFuncB type=\"table\" tableValues=\"0.5921568627451 0.27843137254902\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg><svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-midnight\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0 0\" \/><feFuncG type=\"table\" tableValues=\"0 0.64705882352941\" \/><feFuncB type=\"table\" tableValues=\"0 1\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg><svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-magenta-yellow\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0.78039215686275 1\" \/><feFuncG type=\"table\" tableValues=\"0 0.94901960784314\" \/><feFuncB type=\"table\" tableValues=\"0.35294117647059 0.47058823529412\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg><svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-purple-green\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0.65098039215686 0.40392156862745\" \/><feFuncG type=\"table\" tableValues=\"0 1\" \/><feFuncB type=\"table\" tableValues=\"0.44705882352941 0.4\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg><svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-blue-orange\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0.098039215686275 1\" \/><feFuncG type=\"table\" tableValues=\"0 0.66274509803922\" \/><feFuncB type=\"table\" tableValues=\"0.84705882352941 0.41960784313725\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg> <a href=\"https:\/\/cyberscoop.com\/cynthia-kaiser-fbi-ransomware-hive\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.276198934281\">\n<div class=\"single-article__header-content\" readability=\"29.75\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/threats\/cybercrime\/\"> <span>Cybercrime<\/span> <\/a> <\/li>\n<\/ul>\n<p> The deputy assistant director with the FBI Cyber Division says the bureau is making real strides against cybercrime but still needs the public&#8217;s assistance. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/07\/the-fbis-cynthia-kaiser-on-how-the-bureau-fights-ransomware.jpg?resize=640%2C426&#038;ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/07\/the-fbis-cynthia-kaiser-on-how-the-bureau-fights-ransomware-1.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/07\/the-fbis-cynthia-kaiser-on-how-the-bureau-fights-ransomware-1.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/07\/the-fbis-cynthia-kaiser-on-how-the-bureau-fights-ransomware-1.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/07\/the-fbis-cynthia-kaiser-on-how-the-bureau-fights-ransomware-1.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/07\/the-fbis-cynthia-kaiser-on-how-the-bureau-fights-ransomware-1.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/07\/the-fbis-cynthia-kaiser-on-how-the-bureau-fights-ransomware-1.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/07\/the-fbis-cynthia-kaiser-on-how-the-bureau-fights-ransomware-1.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/07\/the-fbis-cynthia-kaiser-on-how-the-bureau-fights-ransomware-1.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/07\/the-fbis-cynthia-kaiser-on-how-the-bureau-fights-ransomware-1.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/07\/the-fbis-cynthia-kaiser-on-how-the-bureau-fights-ransomware-1.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> An image of a seized ransomeware website is displayed at a press conference where the U.S. Attorney General Merrick Garland made an announcement on an international ransomware enforcement action at the U.S. Justice Department on January 26, 2023 in Washington. (Photo by Kevin Dietsch\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"152.38584998362\"><body readability=\"304.77169996725\"><\/p>\n<p>When the FBI seized the Hive ransomware group\u2019s digital infrastructure earlier this year, it dealt a major blow to one of the world\u2019s most prolific cybercrime syndicates. It was also the result of meticulous planning and coordination with partners around the world \u2014 and a sign of how it plans to go after other hacking operations. The bureau is setting out to get inside these groups\u2019 networks, destroy them from the inside and help victims recover their data. <\/p>\n<p><strong>Cynthia Kaiser<\/strong>, deputy assistant director within the FBI\u2019s Cyber Division, joins CyberScoop\u2019s Safe Mode podcast to talk about the Hive takedown and what else the bureau is doing to fight cybercrime. This transcript of the Safe Mode podcast from June 29 has been edited for length and clarity.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-soundcloud wp-block-embed-soundcloud\"><\/figure>\n<p><strong><em>Before we get into sort of the nitty gritty of what you\u2019re doing on the enforcement side around ransomware, I want to sort of step back and get your assessment of just how big of a problem ransomware is today.<\/em><\/strong><\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Ransomware is obviously a significant threat, and it\u2019s been for the last several years. Now, we know that ransomware actors don\u2019t care who they target. In fact, they\u2019re looking to target entities that have little tolerance for downtime. So that includes <a href=\"https:\/\/cyberscoop.com\/rural-hospital-ransomware\/\" target=\"_blank\" rel=\"noreferrer noopener\">hospitals or just critical infrastructure<\/a> entities. If they think you can\u2019t live without your networks or you can\u2019t operate without your networks, they\u2019re going to go after you. And I think that\u2019s what makes it so insidious and difficult is because they\u2019re just constantly targeting. There\u2019s new variants all the time. There\u2019s new actors, affiliates going between the different variants, which makes it a really difficult ecosystem. As we get into talking about what the FBI is doing about it, it\u2019s that ecosystem concept that we really need to think about. It\u2019s not just a person developing something and then deploying it. It\u2019s a lot of different people working across variants, working across services, cryptocurrency exchanges, marketplaces. And I think that\u2019s that broader effort among all of the criminals that\u2019s really putting a lot of U.S. networks at risk.<\/p>\n<p><strong><em>So where are these people? Where are they located? Where are these attacks coming from?<\/em><\/strong><\/p>\n<p>They come globally. A lot of them do come from Russia or Russian-speaking countries. And I think that that bears out in a lot of the different enforcement actions that we\u2019ve announced recently.<\/p>\n<p><strong><em>It just seems like an insurmountable task to fight against this. Are you finding success in battling a lot of these operators and taking them down?<\/em><\/strong><\/p>\n<p>So I think we realized early on that a whack-a-mole approach doesn\u2019t work. Take one ransomware actor down, another one pops up. So what we\u2019re really looking to do is tighten the net around cybercriminals and around the cybercriminal ecosystem. And we do that by targeting those key services that they\u2019re using. And you\u2019ve seen that throughout many of the actions that we\u2019ve done recently. And that includes not just, say, <a href=\"https:\/\/cyberscoop.com\/fbi-europol-hive-ransomware-group\/\" target=\"_blank\" rel=\"noreferrer noopener\">the Hive takedown<\/a>, which I know we\u2019ve all talked about a lot, but cryptocurrency exchanges like <a href=\"https:\/\/cyberscoop.com\/police-shut-down-cryptocurrency-mixer-chipmixer\/\" target=\"_blank\" rel=\"noreferrer noopener\">Chipmixer<\/a>, which was a mixing service that was used by not just ransomware actors, it was used by the [Russian intelligence operatives].&nbsp;<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p><strong><em>Cryptocurrency mixers, for those who don\u2019t know, explain that really quickly.<\/em><\/strong><\/p>\n<p>I think modern day money laundering. You put something from one of your wallets into a mixer, and it allows it to come out the other side in a more anonymous way.<\/p>\n<p><strong><em>Those services are something you guys have been looking more closely at in the past few years, right?<\/em><\/strong><\/p>\n<p>Absolutely, and you know there are legitimate purposes for some of that as well, but a lot of nefarious purposes. And so we\u2019ve been looking at that because that\u2019s a way for actors to try to get away from the monitoring that law enforcement or many of our partners can do. And it\u2019s a way for them to really try to cash out those proceeds.<\/p>\n<p><strong><em>So let\u2019s dig into the Hive takedown that you mentioned. What is Hive, first of all, or what was Hive? So let\u2019s start there. And then I\u2019m really interested in just the process. I know this was not a typical sort of operation, but it is sort of indicative of where you might be going in future operations against ransomware groups.<\/em><\/strong><\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>I think it\u2019s really typical for the work that\u2019s being done across the bureau every day. And what was great here is how public we can be about our successes. So <a href=\"https:\/\/cyberscoop.com\/ransomware-hack-phone-call-fbi-hive\/\" target=\"_blank\" rel=\"noreferrer noopener\">Hive was a prolific ransomware variant<\/a> that had targeted the hospitals, educational facilities, etc. And they had thousands of victims worldwide. So what we were able to do through our operation \u2026 is we were able to go through and do little steps along the way, the really hard technical work, hard investigative work to obtain access to a lot of the back-end information from Hive to be able then to sit there and gather information for months without them knowing anything. And we were able to proactively provide decrypters to \u2026 victims, hundreds of victims across the U.S., offer it to over 1,300 victims worldwide. So we were able to proactively go out to victims or even targeted entities who didn\u2019t even know that they were targeted yet and provide them with decrypters so that they didn\u2019t have to pay the ransomware actors.<\/p>\n<p><strong><em>Wow, that\u2019s amazing. It must have been a very relieving phone call to get for somebody who\u2019s just become a victim of ransomware. That\u2019s often not what happens.<\/em><\/strong><\/p>\n<p>It was great for people to be able to get that value from the FBI. And I think it really demonstrated the value that the FBI brings into these engagements. It\u2019s not just Hive that has decryption capability. Or we know of the private sector companies that have those decrypters and we can play matchmaker. The key element for anyone who\u2019s been victimized by these groups is to be able to get their networks back, not have to pay that ransom, and know that they\u2019re going to be able to kind of see the other side, keep their business going, not suffer those ill effects on the business even if you pay your ransom or you are able to get from your backups. You still have a lot of negative effects from those attacks. And we were able to head those off. And it\u2019s a great conversation to have with everybody. Because normally people might be coming to us and saying, \u201cHey, something\u2019s hit me, or hey, I\u2019ve been attacked.\u201d But we were able to go proactively to people and get ahead of that. And it was also nice to have data. So, because we had access and understood all of the victims that were being targeted, we were also able to compare that to what was actually being reported to the FBI.&nbsp;<\/p>\n<p><strong><em>That\u2019s quite different, right?&nbsp;<\/em><\/strong><\/p>\n<p>It is. And we always know there\u2019s underreporting, but we can\u2019t really quantify that. But in this case, we could. We saw that about 20% of those victims had reported or did report to the FBI. And so that gives us a better understanding of what that scale might be. And it also gives us an understanding of how we need to more closely engage with target entities, potential victims, or just the private sector at large to ensure that we\u2019re able to get a better, more comprehensive view of the ecosystem.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p><strong><em>Why aren\u2019t people reporting to the FBI when they\u2019ve become victims of ransomware?<\/em><\/strong><\/p>\n<p>I think part of that is they\u2019re not sure what they are getting when they come. Some of them might be scared. When your business is under attack, you\u2019re worried you might have to shutter your business. Maybe that\u2019s just not the first thing they\u2019re thinking about. We want to try to shift that narrative. One part of that is telling people we have other capabilities. It\u2019s not just decrypters, but we know that malicious actors come back and try to reinfect victims that they\u2019ve done before. So, when you call the FBI, we\u2019re able to say, hey, this is this group, this is how they might come try to reinfect you, or they might try to have moved laterally and go here. And we\u2019re able to provide some of that context, especially even some of the classified context that we have, to try to help prevent reinfection. We need to get that message out more about the societal benefit to reporting. You know, we can\u2019t help others if we don\u2019t hear from you and we can\u2019t help you if we don\u2019t hear from others. So being able to understand that you might be the first one to experience an attack, but you\u2019re not going to be the last. And the quicker we can get that all out there, the safer everybody is.<\/p>\n<p><strong><em>What we\u2019ve been reporting on is how ransomware operators are becoming more aggressive. We\u2019ve seen news about hospital attacks and groups just leaking the information to entice people to pay the ransom. Is that something that you\u2019re seeing as well?<\/em><\/strong><\/p>\n<p>Absolutely. I think, you know, the terms we\u2019ll end up seeing are double extortion or triple extortion. That effectively means they may threaten to leak information or they will leak information if you don\u2019t pay the ransom. And then that kind of triple element is we actually see ransomware actors threatening business owners, customers, and up near harassment levels to get that payout from these entities. And I think that\u2019s why that front end of ensuring there\u2019s cyber hygiene across the network, that you\u2019re able to defend across the network, but also you\u2019re able to know who to contact immediately when an attack happens so that there\u2019s not downtime and we don\u2019t necessarily give these nefarious actors the space to conduct these horrible activities.<\/p>\n<p><strong><em>So with the Hive investigation, you don\u2019t expect to see arrests made, do you? Or people sitting in court or going to jail as a result of this? And does that even matter?<\/em><\/strong><\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>No. 1, people actually might be surprised to know how many people we put behind bars that do result from several criminal investigations, but that\u2019s not the point. If we think an arrest is both doable and effective, of course we\u2019re going to pursue it. And we\u2019re not going to care if it\u2019s a U.S. arrest, a Ukrainian arrest. It doesn\u2019t matter where it happens. It matters that we get actors off the streets. But broader than that, taking away their infrastructure, taking away their money. taking away the way in which they cash out that money is more effective. And it\u2019s more effective when it\u2019s not just the FBI doing it. When our international partners are involved, when our intelligence community and U.S. government partners are involved, that\u2019s where we have the maximum benefit against actors. And that\u2019s the point. The point is to restrict them. The point is, if they\u2019re collecting all this money, but they can\u2019t cash it out and use it, they\u2019re effectively stuffing it under a mattress. And we want to restrict their ability. to use that so that they stop attacking the future.<\/p>\n<p><strong><em>So the FBI has its own hackers, right? I mean, the people who are in the weeds, digging into the investigation, sort of going on the offense against the bad guys. Is that something you have enough of within the Bureau?<\/em><\/strong><\/p>\n<p>We need more technically talented individuals to join the FBI. So that means computer scientists, data analysts, just technically trained agents or analysts, because what we are effectively doing is developing tools. So like you saw with our Operation Medusa, developing technical tools, and that was against the Russian intelligence service, we\u2019re developing tools to be able to very selectively remove malware from networks, from closed back doors, and get the adversary off U.S. networks. And to be able to do that takes a lot of work, a lot of technically talented folks. We also need technically talented folks to be able to deploy to sites through our cyber reaction teams, gather information, and help point out how to remediate. And there is a wide gap, just like in the private sector, just like throughout a lot of the US government. in getting some of those great technically talented folks on board. And it\u2019s something we\u2019re working on every day.<\/p>\n<p><strong><em>I do want to talk about that Medusa operation you just mentioned. That was also a really fascinating one, sort of read a bit like a spy thriller. Walk us through that.<\/em><\/strong><\/p>\n<p>So I really appreciate that question because I think FBI\u2019s leadership on <a href=\"https:\/\/cyberscoop.com\/fbi-disrupts-russian-cyber-espionage-tool\/\" target=\"_blank\" rel=\"noreferrer noopener\">Operation Medusa<\/a> really exemplifies for everybody out there just how the FBI is approaching these threats, which is first the range of authorities the FBI\u2019s can bring to the table to disrupt harmful activity, the range of partners we work with from the intelligence community to DOD to private industry to global law enforcement, and then third our willingness to disrupt malicious activity through a variety of actions that include but go well beyond as we talked about. arrests and indictments. So backing up, on May 8, the FBI led a multi-agency joint <a href=\"https:\/\/www.justice.gov\/opa\/pr\/justice-department-announces-court-authorized-disruption-snake-malware-network-controlled\" target=\"_blank\" rel=\"noreferrer noopener\">cyber operation to globally disrupt Snake<\/a>, the most sophisticated cyberespionage tool designed by the Russian Federal Security Service, known as the FSB more colloquially. And the FSB had used this tool for long-term intelligence collection for sensitive targets across the world, including government networks, research facilities, and journalists. So our first step is the FBI developed technical capabilities and deployed those capabilities in collaboration with U.S. and international partners that ultimately mitigated the malware by disrupting its critical functions, rendering it inoperable in the U.S. and abroad. So then the next day, the FBI, along with many of our U.S. and Five Eye partners, published <a href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa23-129a?utm_medium=email&amp;utm_source=govdelivery\" target=\"_blank\" rel=\"noreferrer noopener\">a joint cybersecurity advisory<\/a>. If listeners haven\u2019t read it, they should. I mean, it really is a phenomenal piece of cyberthreat intelligence because it not only goes into incredible detail about the malware itself and how to mitigate, but it also lays out all of our evidence.&nbsp;<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p><strong><em>So yeah, fascinating read, definitely worth looking at, and super important for people to figure out now that that\u2019s been exposed, how to protect themselves against these vulnerabilities, patch systems, and that sort of thing. What was the timeline like from when that started to when you, to when the public found out about it?<\/em><\/strong><\/p>\n<p>Years. Well, we\u2019re monitoring malware, getting a better sense of what it\u2019s doing, what it can do. This malware was very selectively deployed, not necessarily a broad sweeping campaign. And so it takes a long time to obtain the right artifacts, technical artifacts, to get the right samples, to find it at the right time, to then do the technical evaluations to be able to figure out ways to mitigate it. Then [we have to] coordinate with our partners so that we\u2019re not just eradicating a few instances in the U.S., but it\u2019s going rampant globally. We wanna create these operations to be the most effective they can be, and that did take a lot of time. But I think a lot of that really is that technical back end, really hard work, that overall was just a phenomenal effort among a really great group of people.<\/p>\n<p><strong><em>So you\u2019re in the thick of this every day looking at threats, many that we\u2019re not even aware of yet, unless you want to tell us today what the next operation is. But from your point of view, are you positive that some of the things you\u2019re doing are going to make positive change or are we just fighting against this tidal wave of threats and just keeping your head above water? How are things improving?<\/em><\/strong><\/p>\n<p>I think like most of your listeners, the FBI sees a constant stream of cyberthreats that highlight the time, money, and talent that our adversaries are putting into making us less safe. And with that, I feel positive that we\u2019re developing good partnerships that are going to enable us to be better in the future. I think our private sector partnerships have never been stronger. Our relationships across the U.S. government have never been stronger. And the types of operations that we\u2019ve been able to do really, I\u2019d say since 2020, are phenomenal examples of operations that have real impacts. Now they\u2019re not enough. We need to do more of them. And we\u2019re working on doing more of them, not just us, but enabling any partner to do more of them. Part of that\u2019s in international capacity building. working with our partners, ensuring they\u2019re capable of combating cyberthreats because cyber has no borders. And part of that is ensuring that we\u2019re sharing to the maximum extent we can with all our partners information that maybe we would have kept to ourselves before. But now we\u2019re out there and we\u2019re open. And I feel like the right framework is in place and the right use cases for a lot of these great operations are now available for us to expand that effectiveness. So I feel hopeful in the trajectory we\u2019re going, but also, I don\u2019t want to sugarcoat how dire some of these cyberthreats that we\u2019re facing are, how much it can feel like, especially to U.S. businesses. I think the only thing I can give businesses in thinking about that is we still see cyber actors using the same methods to get onto networks. They\u2019re guessing simple passwords, they\u2019re going in through common vulnerabilities. And so there\u2019s a lot of really simple cyber hygiene steps that enable our network owners across the U.S. to counteract this wave of threats. And I think my ideal world is a world in which [threat] actors have to spend millions of dollars and years making tools that then they try to target us selectively with. That means when we take those down that we have a huge impact. And it means that we\u2019re really gumming up the works of their cyber operations machine.<\/p>\n<p><strong><em>You must get a lot of questions, especially from people who don\u2019t exist in the world of cybersecurity. What\u2019s the one piece of advice you give to people to make sure that they can be more secure?<\/em><\/strong><\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Patch. I think that there\u2019s great services in place where you can have patch services so that it\u2019s automatic. You don\u2019t necessarily have to remember every Tuesday to go in, but enabling some of those services, ensuring that you\u2019re patching common vulnerabilities, that\u2019s really one of the key ways we see adversaries targeting us.<\/p>\n<p><strong><em>Well, Cynthia, we could talk about this all day long, but I\u2019m sure you\u2019ve got other things to do. Thanks so much for joining us.<\/em><\/strong><\/p>\n<p>Thank you. I really enjoyed it.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\"> <\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p> <!-- .popular-stories__stories --> <\/div>\n<p><!-- .popular-stories__inner -->\n<\/div>\n<p><!-- .popular-stories --> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p> <!-- Start of HubSpot Embed Code --> <!-- End of HubSpot Embed Code --> <\/body> <a href=\"https:\/\/cyberscoop.com\/cynthia-kaiser-fbi-ransomware-hive\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The FBI&#8217;s Cynthia Kaiser on how the bureau fights ransomware<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[282],"tags":[286],"class_list":["post-1493","post","type-post","status-publish","format-standard","hentry","category-cybercrime","tag-cybercrime"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a>","tag_info":"cybercrime","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1493","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=1493"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1493\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=1493"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=1493"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=1493"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}