FBI tries to get more victims to call them after Hive ransomware operation

The Justice Department’s recent, historic operation that thwarted a notorious ransomware gang came with a barely coded messaged: More ransomware victims should call the FBI.

Why it matters: Targets of ransomware and other malicious cyber incidents often fear that if they call the FBI, they’ll have to give agents overly broad network access, they’ll be named in future litigation, or the attackers will leak sensitive information.

• Federal officials have spent the last few years trying to assuage those concerns as government investments in anti-ransomware initiatives have grown.

Driving the news: Last week, the DOJ unveiled a monthslong operation where FBI agents invaded the Hive ransomware gang’s darknet operations. Officials stole and distributed decryption keys to hundreds of victims mid-attack and ultimately shut down some of the gang’s key digital infrastructure.

• Most of Hive’s victims were U.S. schools, hospitals and other critical infrastructure organizations.

The big picture: At a press conference detailing the campaign, FBI director Christopher Wray estimated that only 20% of Hive’s victims reported potential issues to law enforcement during the bureau’s seven-month operation.

• Experts told Axios that the speedy assistance officials shared last week could help encourage more ransomware targets to call the FBI when they’re attacked.

Flashback: The FBI’s quick deployment of a Hive decryption key to victims during the sting operation is a complete 180-degree turn from a similar operation the bureau handled nearly two years ago.

Between the lines: Misconceptions about how the FBI and other federal investigators, including those at the Cybersecurity and Infrastructure Security Agency, handle ransomware investigations have led to industry distrust, Adam Flatley, vice president of intelligence at cyber defense firm Redacted, told Axios.

• Many organizations think federal investigators will overrun their internal investigations, but the FBI typically just wants to identify the perpetrators and recover any financial losses, Flatley said.
• While many ransomware gangs threaten victims to not call the feds, the Hive operation shows the FBI is capable of discreetly helping victims, Flatley added.

The intrigue: Helping more ransomware victims also helps the FBI to track trending cyber threats that could pose a broader national security risk to the country.

But many ransomware victims also might not consider calling federal investigators during an incident, Austin Berglas, global head of professional services at BlueVoyant and a former FBI agent, told Axios.

• “If your house is burning, you’re doing whatever it takes to make sure that your business stays afloat,” Berglas said. “Calling law enforcement is the last thing you’re thinking about.”
• About 45% of cyber professionals also think calling in law enforcement would slow down data recovery and distract their companies’ IT teams, according to a 2021 survey from cybersecurity firm Talion.

Yes, but: While Wray’s estimate of 20% might seem low, former agents and officials told Axios that number was a lot higher than they’d expected.

• Critical infrastructure, in particular, has gotten a lot better at calling in the FBI because of the concerted government outreach targeting them in recent years, Berglas said.

Of note: FBI cyber field agents across the country are often looking to meet nearby companies to help establish a relationship before an incident happens.

What’s next: All eyes are on how CISA enacts forthcoming cyber incident reporting laws and whether those will help connect ransomware victims with law enforcement resources faster — or disrupt the budding trust being built between industry and federal investigators.

Sign up for Axios’ cybersecurity newsletter Codebook here.