The U.S. Justice Department announced Thursday it has disrupted the operations of prolific ransomware gang Hive, which the agency said has so far targeted more than 1,500 victims — including hospitals, school districts, financial firms, and critical infrastructure — in over 80 countries.
“The Department of Justice’s disruption of the Hive ransomware group should speak as clearly to victims of cybercrime as it does to perpetrators,” U.S. Deputy Attorney General Lisa O. Monaco said in a statement. “In a 21st century cyber stakeout, our investigative team turned the tables on Hive, swiping their decryption keys, passing them to victims, and ultimately averting more than $130 million dollars in ransomware payments. We will continue to strike back against cybercrime using any means possible and place victims at the center of our efforts to mitigate the cyber threat.”
The DOJ says it secretly infiltrated Hive’s infrastructure in July 2022 and has been monitoring their activity for half a year, which allowed law enforcement to learn about the attacks in advance and alert the would-be victims, effectively saving them millions in ransoms. For instance, a Texas school district and a Louisiana hospital were spared $5 million and $3 million, respectively.
The operation was carried out in cooperation with German and Dutch law enforcement agencies, who seized Hive’s servers in their respective countries. Additionally, the FBI gained access to two dedicated servers and one virtual private server located in Los Angeles, California.
"In addition to decryption keys, when the FBI examined the database found on Target Server 2, the FBI found records of Hive communications, malware file hash values, information on Hive’s 250 affiliates, and victim information consistent with the information it had previously obtained through the decryption key operation," the affidavit reads.
Hive’s Tor websites now display an animated GIF that switches between a message in English and Russian and lists all countries involved with the operation.
"This hidden site has been seized. The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Hive Ransomware," the seizure notice reads.
One of the most prolific ransomware gangs, Hive operated a ransomware-as-a-service (RaaS) model, in which administrators, sometimes called developers, create, maintain, and update malware, while affiliates conduct the attacks, earning a commission on each successful ransom payment.
According to the FBI, Hive hackers typically employed a double-extortion attack, meaning that affiliates demanded ransom in cryptocurrencies for both the decryption key necessary to recover the victim’s encrypted system and a promise to not publish the stolen data. On its Hive Leak Site, criminals would publish the data of victims who refused to pay.
According to blockchain forensics firm Chainalysis, revenues from ransom payments were significantly down in 2022, as more victims refused to pay. Last year, ransomware attacks netted hackers at least $456.8 million, down from $765.6 million in 2021.