FBI dismantles Hive ransomware group, provides decryption keys to victims

Government hackers broke into Hive’s network and stole the digital keys criminals used to unlock stolen organizations' data, preventing victims from having to pay $130 million in ransoms.

Code Hacking - stock photo

The U.S. Justice Department announced Thursday it has disrupted the operations of prolific ransomware gang Hive, which the agency said has so far targeted more than 1,500 victims — including hospitals, school districts, financial firms, and critical infrastructure — in over 80 countries.

“The Department of Justice’s disruption of the Hive ransomware group should speak as clearly to victims of cybercrime as it does to perpetrators,” U.S. Deputy Attorney General Lisa O. Monaco said in a statement. “In a 21st century cyber stakeout, our investigative team turned the tables on Hive, swiping their decryption keys, passing them to victims, and ultimately averting more than $130 million dollars in ransomware payments. We will continue to strike back against cybercrime using any means possible and place victims at the center of our efforts to mitigate the cyber threat.”

The DOJ says it secretly infiltrated Hive’s infrastructure in July 2022 and has been monitoring their activity for half a year, which allowed law enforcement to learn about the attacks in advance and alert the would-be victims, effectively saving them millions in ransoms. For instance, a Texas school district and a Louisiana hospital were spared $5 million and $3 million, respectively.

The operation was carried out in cooperation with German and Dutch law enforcement agencies, who seized Hive’s servers in their respective countries. Additionally, the FBI gained access to two dedicated servers and one virtual private server located in Los Angeles, California.

Read also: German police closed Russian-language darknet market Hydra, seized $25 million worth of Bitcoins

"In addition to decryption keys, when the FBI examined the database found on Target Server 2, the FBI found records of Hive communications, malware file hash values, information on Hive’s 250 affiliates, and victim information consistent with the information it had previously obtained through the decryption key operation," the affidavit reads.

Hive’s Tor websites now display an animated GIF that switches between a message in English and Russian and lists all countries involved with the operation.

Seizure notice left by the FBI on Hive Tor website
Seizure notice left by the FBI on Hive Tor website

"This hidden site has been seized. The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Hive Ransomware," the seizure notice reads.

One of the most prolific ransomware gangs, Hive operated a ransomware-as-a-service (RaaS) model, in which administrators, sometimes called developers, create, maintain, and update malware, while affiliates conduct the attacks, earning a commission on each successful ransom payment.

Top 5 ransomware strains by quarter, 2022.
Image: Chainalysis

According to the FBI, Hive hackers typically employed a double-extortion attack, meaning that affiliates demanded ransom in cryptocurrencies for both the decryption key necessary to recover the victim’s encrypted system and a promise to not publish the stolen data. On its Hive Leak Site, criminals would publish the data of victims who refused to pay.

According to blockchain forensics firm Chainalysis, revenues from ransom payments were significantly down in 2022, as more victims refused to pay. Last year, ransomware attacks netted hackers at least $456.8 million, down from $765.6 million in 2021.