One of the most notorious and prolific cybercriminals, the Hive ransomware gang, were hit by a joint operation conducted by the FBI, Europol and local police from several countries. Hive’s online infrastructure was seized, including its online dump site and encryption keys.
On Thursday, the FBI confirmed that they had access to Hive’s network since July 2022, which allowed them to decrypt the systems of over 336 victims — as they had access to the keys without Hive knowing — and prevent ransom payments of over $130 million. The access also allowed the FBI to disrupt operations and save millions in potential ransom costs.
“This hidden site has been seized. The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Hive Ransomware. This action has been taken in coordination with the United States Attorney’s Office for the Middle District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice with substantial assistance from Europol,” the takedown notice on Hive’s site reads.
Hive ransomware primarily operates as a ransomware-as-a-service, which means that while the ransomware is developed and maintained by the core Hive members, it’s being used by cybercriminals worldwide. For example, if an affiliate using Hive’s ransomware attacks some organisation, Hive receives a share of the ransom paid by the victim even if they aren’t propagating the attack directly — the other half stays with the affiliate cybercriminals using Hive’s ransomware for the attack.
“The FBI’s strategy to combat ransomware leverages both our law enforcement and intelligence authorities to go after the whole cybercrime ecosystem—the actors, their finances, their communications, their malware, and their supporting infrastructure. And since 2021, that’s exactly how we’ve hit Hive ransomware,” said Christopher Wray, Director, FBI.
Since June 2021, Hive has targeted a wide range of businesses and government infrastructure, including healthcare, telecom, IT, and schools. They successfully extorted nearly $100 million from 1300 companies in 80 countries globally during that period. In October 2022, India-based Tata Power was hit by the Hive ransomware, and their data was leaked after negotiations fell through.
The National Crime Agency of the UK, the US Secret Service and FBI, the Royal Canadian Mounted Police (RCMP) and Peel Regional Police, National Police of France, Ireland, Norway, Netherlands, Lithuania, Portugal, Romania, Spain, and Sweden were involved in the takedown efforts.
“In a 21st-century cyber stakeout, our investigative team turned the tables on Hive, swiping their decryption keys, passing them to victims, and ultimately averting more than $130 million dollars in ransomware payments. We will continue to strike back against cybercrime using any means possible and place victims at the centre of our efforts to mitigate the cyber threat,” said Attorney General Merrick B. Garland.