FBI takes down Hive ransomware group in an undercover operation

The US Department of Justice (DOJ) along with international partners has taken down the Hive ransomware group. The operation that began in July 2022 resulted in the FBI penetrating Hive’s computer networks, capturing its decryption keys, and offering them to victims worldwide, preventing victims from having to pay the $130 million in ransom demanded, DOJ said in a release on Thursday. 

“Last night, the Justice Department dismantled an international ransomware network responsible for extorting and attempting to extort hundreds of millions of dollars from victims in the United States and around the world,” Attorney General Merrick B. Garland said in the release.  

Since infiltrating Hive’s network in July 2022, the FBI has provided over 300 decryption keys to Hive victims who were under attack. FBI also distributed over 1,000 additional decryption keys to previous Hive victims. 

In coordination with the German Federal Criminal Police and Reutlingen Police Headquarters-CID Esslingen and the Netherlands National High Tech Crime Unit, the department seized control of the servers and websites that Hive was using to communicate with its members, disrupting Hive’s ability to attack and extort victims.

Hive ransomware group 

The Hive ransomware group has targeted more than 1,500 victims in over 80 countries around the world, including hospitals, school districts, financial firms, and critical infrastructure. In 2022, 5.5% of all observed ransomware attacks were attributed Hive group, making it the top five most active ransomware for the year, according to SOCRadar. 

“In 2022, Hive was the most prolific family that we directly observed in incident response engagements, accounting for over 15% of the ransomware intrusions that we responded to,” Kimberly Goody, senior manager at Mandiant Intelligence – Google Cloud said in a statement. About 50% of all Hive’s public victims were based in the US, Mandiant said. 

Hive ran a ransomware-as-a-service model, where its developers sold their ransomware code to affiliates, who carried out the actual attack. Hive used a double-extortion model for its attack—the affiliates would first steal the victim’s sensitive data and then encrypt the systems. The affiliate would then seek a ransom for both the decryption key necessary to decrypt the victim’s system and a promise to not publish the stolen data.  

“Hive actors frequently targeted the most sensitive data in a victim’s system to increase the pressure to pay. After a victim pays, affiliates and administrators split the ransom 80/20. Hive published the data of victims who do not pay on the Hive Leak Site,” the DOJ said in its release. 

Initial variants of the Hive ransomware versions 1 to 4 were written in GoLang. However, after the Korea Internet & Security Agency (KISA) released a public decryptor for the victims of Hive ransomware in mid-2022, the group switched to Rust language, specifically with version 5, to develop new variants for their ransomware, according to SOCRadar. 

Since June 2021, the Hive ransomware group received over $100 million in ransom payments.

“Hive is a key example of a trend we’ve seen in ransomware actors looking to move away from conventional software-based ransomware and push towards ransoming key information like personal or financial data, and intellectual property,” Jordan LaRose, practice director at NCC Group said in a statement. 

“This type of ransom is much easier to carry out by attackers and is enabled by platforms like Hive. Targeting and destroying these platforms is an effective way to combat these newer tactics,” LaRose added. 

The Hive Leak website displayed a message saying it had been seized by an international law enforcement coalition including the department and the FBI. “The seizure of both the DLS and victim negotiation portal is a major setback to the adversary’s operations. Without access to either site, HIVE affiliates will have to rely on other means of communication with their victims and will have to find alternate ways to publicly post victim data,” Adam Meyers, head of intelligence at CrowdStrike said in a statement. 

An example set for cybercriminals?

The takedown of Hive Group by the FBI has garnered a lot of praise from authorities and cybersecurity firms. 

“In a 21st-century cyber stakeout, our investigative team turned the tables on Hive, swiping their decryption keys, passing them to victims, and ultimately averting more than $130 million in ransomware payments,” Deputy Attorney General Lisa O. Monaco, said in the statement. “We will continue to strike back against cybercrime using any means possible and place victims at the center of our efforts to mitigate the cyber threat.”

FBI Director Christopher Wray said the coordinated disruption of Hive’s computer networks shows what can be accomplished by combining a relentless search for useful technical information to share with victims with an investigation aimed at developing operations that hit our adversaries hard. 

Some cybersecurity experts feel the disruption of the Hive service won’t cause a serious drop in overall ransomware activity, even though it is a blow to a dangerous group that has even endangered lives by attacking the healthcare system. 

“Infrastructure recovery is likely to set back the development of the Hive ‘product’, but Ransomware-as-a-Service makes it possible for some of that capability to be shifted or recovered,” said Justin Fier, SVP of Red Team Operations for Darktrace said in a statement. “For the victims affected, it is sadly the case that obtaining a decryption key doesn’t always get the data back and recovery can be a long and grueling process that could incur a higher cost than the original ransom.”