Federal law enforcement has taken down the notorious Hive ransomware crew, the culmination of a months-long campaign to stymie the group’s ability to trap roughly 300 victims into coughing up some $130 million in ransom demanded, officials said.

Hive has targeted more than 1,500 victims in 80 countries worldwide, including hospitals, school districts, financial firms and critical infrastructure over years. During 2022, Hive was among the most active ransomware groups among Lockbit, Alphv and Blackbasta.

FBI Infiltrates Hive

In a widespread operation that included Germany and The Netherlands law enforcement, the FBI in late July 2022, crawled into Hive’s computer networks, captured its decryption keys, and offered them to victims worldwide. All told, the FBI has provided over 300 decryption keys to Hive victims who were under attack. In addition, the FBI distributed over 1,000 additional decryption keys to previous Hive victims.

Deputy U.S. Attorney General Lisa Monaco said government hackers broke into Hive's network and put the gang under surveillance, covertly stealing the decryption keys the group used to unlock victim organizations' frozen data. Victims were notified in advance so they could take steps to protect their systems before Hive demanded the payments.

"Using lawful means, we hacked the hackers," Monaco told reporters. "We turned the tables on Hive."

FBI Director Christopher Wray delivered a statement on the matter:

“The coordinated disruption of Hive’s computer networks, following months of decrypting victims around the world, shows what we can accomplish by combining a relentless search for useful technical information to share with victims with investigation aimed at developing operations that hit our adversaries hard. The FBI will continue to leverage our intelligence and law enforcement tools, global presence, and partnerships to counter cybercriminals who target American business and organizations."

Hive engaged with an unknown number of affiliates in a ransomware-as-a-service, subscription-based model in which it was able to activate small and often under-resourced and unsophisticated hackers to develop a ransomware variant of their own. Affiliates earned a percentage of a successful ransomware attack.

Of late, a double extortion model has emerged with a growing number of ransomware hijackers, in which victims are blackmailed that data exfiltrated from their systems will be posted for sale on dark web forums. Hive itself published stolen data on the Hive Leak Site.

Hive Methods Examined

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Hive affiliates have gained initial access to victim networks through a number of methods. These include single factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols; exploiting FortiToken vulnerabilities; and sending phishing emails with malicious attachments.

Austin Berglas, global head of professional services for BlueVoyant, a New York-based cybersecurity provider, said that although the seizure of Hive assets won’t “dismantle” the organization, “it will certainly disrupt operations for a period of time, forcing the group to establish new infrastructure if they intend on continuing criminal activity under the same Hive moniker.” Dismantlement, he said, comes only when law enforcement arrest the individuals responsible.

To that point, in May 2022, the infamous Conti ransomware crew disbanded operations after one of its members leaked internal communications. However, some of the group’s members spun off into other gangs such as BlackBasta and BlackByte. Hive members are likely to do the same. Although there were no arrests announced on January 25, U.S. Attorney General Merrick Garland said the investigation was ongoing and one department official told reporters to "stay tuned,” Reuters reported.

Garland said the FBI's operation helped a wide range of victims, including a Texas school district:

"The bureau provided decryption keys to the school district, saving it from making a $5 million ransom payment and a Louisiana hospital avoided a $3 million payment."