FBI covertly infiltrated the Hive network—which has targeted more than 1,500 victims in over 80 countries around the world—and thwarted over $130 million in ransom demands. Credit: Mikkel William / Getty Images The US Department of Justice (DOJ) along with international partners has taken down the Hive ransomware group. The operation that began in July 2022 resulted in the FBI penetrating Hive’s computer networks, capturing its decryption keys, and offering them to victims worldwide, preventing victims from having to pay the $130 million in ransom demanded, DOJ said in a release on Thursday. “Last night, the Justice Department dismantled an international ransomware network responsible for extorting and attempting to extort hundreds of millions of dollars from victims in the United States and around the world,” Attorney General Merrick B. Garland said in the release. Since infiltrating Hive’s network in July 2022, the FBI has provided over 300 decryption keys to Hive victims who were under attack. FBI also distributed over 1,000 additional decryption keys to previous Hive victims. In coordination with the German Federal Criminal Police and Reutlingen Police Headquarters-CID Esslingen and the Netherlands National High Tech Crime Unit, the department seized control of the servers and websites that Hive was using to communicate with its members, disrupting Hive’s ability to attack and extort victims. Hive ransomware group The Hive ransomware group has targeted more than 1,500 victims in over 80 countries around the world, including hospitals, school districts, financial firms, and critical infrastructure. In 2022, 5.5% of all observed ransomware attacks were attributed Hive group, making it the top five most active ransomware for the year, according to SOCRadar. “In 2022, Hive was the most prolific family that we directly observed in incident response engagements, accounting for over 15% of the ransomware intrusions that we responded to,” Kimberly Goody, senior manager at Mandiant Intelligence – Google Cloud said in a statement. About 50% of all Hive’s public victims were based in the US, Mandiant said. Hive ran a ransomware-as-a-service model, where its developers sold their ransomware code to affiliates, who carried out the actual attack. Hive used a double-extortion model for its attack—the affiliates would first steal the victim’s sensitive data and then encrypt the systems. The affiliate would then seek a ransom for both the decryption key necessary to decrypt the victim’s system and a promise to not publish the stolen data. “Hive actors frequently targeted the most sensitive data in a victim’s system to increase the pressure to pay. After a victim pays, affiliates and administrators split the ransom 80/20. Hive published the data of victims who do not pay on the Hive Leak Site,” the DOJ said in its release. Initial variants of the Hive ransomware versions 1 to 4 were written in GoLang. However, after the Korea Internet & Security Agency (KISA) released a public decryptor for the victims of Hive ransomware in mid-2022, the group switched to Rust language, specifically with version 5, to develop new variants for their ransomware, according to SOCRadar. Since June 2021, the Hive ransomware group received over $100 million in ransom payments.“Hive is a key example of a trend we’ve seen in ransomware actors looking to move away from conventional software-based ransomware and push towards ransoming key information like personal or financial data, and intellectual property,” Jordan LaRose, practice director at NCC Group said in a statement. “This type of ransom is much easier to carry out by attackers and is enabled by platforms like Hive. Targeting and destroying these platforms is an effective way to combat these newer tactics,” LaRose added. The Hive Leak website displayed a message saying it had been seized by an international law enforcement coalition including the department and the FBI. “The seizure of both the DLS and victim negotiation portal is a major setback to the adversary’s operations. Without access to either site, HIVE affiliates will have to rely on other means of communication with their victims and will have to find alternate ways to publicly post victim data,” Adam Meyers, head of intelligence at CrowdStrike said in a statement. An example set for cybercriminals?The takedown of Hive Group by the FBI has garnered a lot of praise from authorities and cybersecurity firms. “In a 21st-century cyber stakeout, our investigative team turned the tables on Hive, swiping their decryption keys, passing them to victims, and ultimately averting more than $130 million in ransomware payments,” Deputy Attorney General Lisa O. Monaco, said in the statement. “We will continue to strike back against cybercrime using any means possible and place victims at the center of our efforts to mitigate the cyber threat.”FBI Director Christopher Wray said the coordinated disruption of Hive’s computer networks shows what can be accomplished by combining a relentless search for useful technical information to share with victims with an investigation aimed at developing operations that hit our adversaries hard. Some cybersecurity experts feel the disruption of the Hive service won’t cause a serious drop in overall ransomware activity, even though it is a blow to a dangerous group that has even endangered lives by attacking the healthcare system. “Infrastructure recovery is likely to set back the development of the Hive ‘product’, but Ransomware-as-a-Service makes it possible for some of that capability to be shifted or recovered,” said Justin Fier, SVP of Red Team Operations for Darktrace said in a statement. “For the victims affected, it is sadly the case that obtaining a decryption key doesn’t always get the data back and recovery can be a long and grueling process that could incur a higher cost than the original ransom.” Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe