Fraud Management & Cybercrime , Ransomware

FBI Seizes Hive Ransomware Servers in Multinational Takedown

Agents Infiltrated Hive in July 2022: 'We Hacked the Hackers,' Says DOJ Official
FBI Seizes Hive Ransomware Servers in Multinational Takedown
The Hive data leak site currently displays this message in English and Russian: "The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Hive Ransomware" (Image: Information Security Media Group)

A multinational law enforcement operation late Wednesday night seized control of digital infrastructure used by the Hive ransomware-as-a-service criminal group, and U.S. officials revealed Thursday morning that the FBI had secretly penetrated the group's servers.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

After infiltrating the group's network last summer, federal agents used their inside view of the Hive group's operations to seize decryption keys and prevent about 300 victims across the globe from paying $130 million worth of demanded extortion payments.

The seizure, a coordinated operation including participation by U.S., German and Dutch police, is part of an ongoing investigation that could result in arrests, FBI Director Christopher Wray said during a press conference Thursday morning.

"We'll continue gathering evidence; building out our map of Hive developers, administrators and affiliates; and using that knowledge to drive arrests, seizures and other operations, whether by the FBI or our partners here and abroad," he said.

Hive's dark web leak site now displays a message, alternatively in Russian and English, stating that the FBI has taken control of the site.

"We hacked the hackers," Deputy Attorney General Lisa O. Monaco told reporters. Federal agents seized two servers located in Los Angeles, Attorney General Merrick Garland said.

Hive, first observed in June 2021 and consisting of possible Russian-language speakers, is notorious for targeting healthcare organizations. It typically splits extortion payments, and the affiliates responsible for the actual hacking keep one-fifth of the total take. Hive deploys a double-extortion model - pressuring victims into paying by threatening to leak sensitive data stolen during the initial hack unless they pay the ransom.

Its victims include U.S. nursing home chain Consulate Health Care and Lake Charles Memorial Health System in Louisiana. The federal government calculated late last year that Hive had victimized more than 1,300 companies worldwide, obtaining about $100 million in extortion.

Garland accused Hive of infecting an unnamed Midwestern hospital "at a time when COVID-19 was surging" in an incident that forced the hospital to turn away patients and resort to paper copies of patient information. FBI access to the decryptor keys headed off a Texas school district from making a $5 million ransomware payment and a Louisiana hospital from making a $3 million payment, Merrick said.

U.S. and European governments have vowed an aggressive crackdown on ransomware groups, which primarily operate from inside Russia, typically with the tacit or explicit support of the Kremlin. Those efforts may be achieving results given figures showing a decrease in the number of organizations delivering extortionate payments to hackers (see: Ransomware Profits Dip as Fewer Victims Pay Extortion).

Ransomware payments are made using cryptocurrency, and blockchain intelligence firm Chainalysis reports that criminal groups' ransomware revenue fell at least $456.8 million in 2022, from $765.6 million in 2021 - a drop of about 40%. Ransomware groups can blame their disappearing revenue on more would-be victims putting robust defenses in place, including well-rehearsed incident response plans, which make executing a successful attack harder. Also, law enforcement agencies mobilize earlier to assist victims.

Wray today urged victims to contact law enforcement, saying that agents' seven-month infiltration of the Hive infrastructure showed that only about one-fifth of Hive victims contacted police. "We were still able to identify and help many victims who didn't report in, but that is not always the case. When victims report attacks to us, we can help," he said.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.