The FBI, Europol, and law enforcement authorities from several European countries have disrupted the Hive ransomware group’s operations, seizing two backend servers located in Los Angeles and taking down the group’s darknet sites.
In an operation that began last July, the FBI was able to gain access to the internal control panel used by the Hive actors, gather decryption keys and pass them on to victims, and monitor the group’s activities. The Department of Justice announced the Hive takedown on Thursday and said that law enforcement was able to get encryption keys to more than 1,300 victims, preventing those organizations from having to pay ransoms. FBI agents were able to infiltrate the Hive network using unspecified means and remain hidden for several months, watching the actors’ activities, taking note of new victims, and grabbing decryption keys to help those victims recover their data without paying ransoms.
“For the past several months, the FBI and our partners have been inside the network of one of the world’s top five ransomware groups, Hive. For all the group’s technical prowess, it couldn’t outfox our prosecutors, agents and international law enforcement coalition,” Assistant Attorney General Lisa Monaco said.
“We hid in the network for months, taking keys and passing them to victims. Using lawful means we hacked the hackers, we turned the tables on Hive and we busted their business model.”
Emerging in June 2021, Hive joined the growing number of ransomware-as-a-service operations and quickly began racking up victims, including hospitals, school districts, and other targets. The FBI estimated that Hive targeted more than 1,500 victims since its inception, and received more than $100 million in ransom payments. The group used the increasingly popular double-extortion tactic in its attacks, demanding one payment for the decryption of data and another one to prevent the group from publishing stolen information.
U.S. authorities worked with law enforcement agencies in Germany and the Netherlands, as well as with Europol, on the operation and the takedown of the Hive darknet sites.
“Our access to the Hive infrastructure was no accident,” said FBI Director Christopher Wray.
The takedown of Hive is a significant milestone in the effort to disrupt the ransomware ecosystem, but because of the way that RaaS groups operate, it’s likely that many Hive affiliates will simply move to other ransomware groups and continue their exploits.
The FBI did not announce any arrests as part of the Hive takedown.