U.S. Department of Justice dismantles Hive ransomware group

According to the U.S. Department of Justice, agents last week concluded efforts ongoing since July 2022 to infiltrate the computer networks of the Hive ransomware group, seize its decryption keys and offer them to victims targeted for more than $130 million in demands.

“Last night, the Justice Department dismantled an international ransomware network responsible for extorting and attempting to extort hundreds of millions of dollars from victims in the United States and around the world,” Attorney General Merrick Garland said. “Cybercrime is a constantly evolving threat. But as I have said before, the Justice Department will spare no resource to identify and bring to justice anyone, anywhere, who targets the United States with a ransomware attack. We will continue to work both to prevent these attacks and to provide support to victims who have been targeted. And together with our international partners, we will continue to disrupt the criminal networks that deploy these attacks.”

Since the operation began, the Federal Bureau of Investigation (FBI) has provided more than 300 decryption keys to Hive victims being actively attacked by the criminal group and more than 1,000 other keys to previous Hive victims. As a final nail in the group’s coffin, the FBI, together with German and Dutch law enforcement, seized control of the group’s servers and websites used for communication with its members.

“The coordinated disruption of Hive’s computer networks, following months of decrypting victims around the world, shows what we can accomplish by combining a relentless search for useful technical information to share with victims with investigation aimed at developing operations that hit our adversaries hard,” FBI Director Christopher Wray said.

Deputy Attorney General Lisa Monaco referred to the case as equivalent to a 21st-century cyber stakeout.

Hive has been active since at least June 2021. During that time, its members targeted more than 1,500 people and organizations worldwide – hospitals, school districts, financial firms, critical infrastructure, and more. It received more than $100 million in ransom payments during its run from victims in more than 80 countries. The group used a ransomware-as-a-service model, a subscription-based model used to create a ransomware strain with an easy-to-use interface, then recruited affiliates to identify targets and ultimately deploy the software against them. They were given a percentage cut of the take for successful ransoms earned.

Hive actors employed a double-extortion model of attack. Before encrypting the victim system, the affiliate would exfiltrate or steal sensitive data. The affiliate then sought a ransom for the decryption key necessary to decrypt the victim’s system and a promise not to publish the stolen data. Hive actors frequently targeted the most sensitive data in a victim’s system to increase the pressure to pay. After a victim pays, affiliates and administrators split the ransom 80/20. Hive published the data of victims who do not pay on the Hive Leak Site.