This article is more than 1 year old

FBI smokes ransomware Hive after secretly buzzing around gang's network for months

Uncle Sam doles out decryption keys to 300+ victims amid sting op

The FBI said it has shut down the Hive's ransomware network, seizing control of the notorious gang's servers and websites, and thwarting the pesky criminals' ability to sting future victims.

The takedown, which happened Wednesday night, was the culmination of a seven-month covert operation during which the FBI hacked Hive's network and used that access to provide decryption keys to more than 300 victims, saving them $130 million in ransomware payments, we're told.

Uncle Sam also distributed another 1,000 decryption keys to previous Hive victims, according to the US Department of Justice.

And then finally, working with German and Dutch law enforcement, the Feds dismantled the crime group's infrastructure, "crippling Hive's ability to sting again," FBI Director Christopher Wray said during a Thursday press conference.

During the time spent hiding in Hive's networks, the FBI also determined that only about 40 percent of the gang's victims reported "potential issues" to law enforcement, Wray added. That's not a good practice.

While no arrests have been made, "our investigation into the criminal conduct of Hive members remains ongoing," US Attorney General Merrick Garland said.

Since June 2021, Hive ransomware criminals have hit more than 1,500 victims globally and extorted more than $100 million in ransom payments, according to the government agencies.

The gang targeted government facilities, communications, critical manufacturing and IT, and has a particular affinity for hospitals. In April, the US Health and Human Services agency warned healthcare orgs about Hive, which it described as an "exceptionally aggressive" threat to the health sector. 

During today's press conference, Garland detailed an attack against a US hospital in August 2021 as COVID-19 cases surged worldwide. 

"The Hive ransomware attack prevented the hospital from accepting any new patients," he said. "The hospital was also forced to rely on paper copies of patient information. It was only able to recover its data after it paid a ransom." 

Hive also uses a ransomware-as-a-service (RaaS) model where its developers write the malware code, then affiliates deploy the pre-made ransomware against victims, and both groups split the proceeds.

These particular criminals also use double-extortion attacks: Before they encrypt the victims' systems, the crooks steal sensitive data and then threaten to publish the information on the Hive leak site if the organization doesn't pay up. 

Hive affiliates use several methods to gain initial access to victims' networks, according to the US Cybersecurity and Infrastructure Security Agency. This includes single-factor logins via Remote Desktop Protocol, virtual private networks, and other remote network connection protocols. 

The miscreants have also bypassed multi-factor authentication and broken into FortiOS servers after exploiting FortiToken vulnerabilities

They've also used tried-and-true phishing emails with malicious attachments, which, in the past, allowed them to exploit any number of Microsoft Exchange server vulnerabilities.

Hive was the eight most active ransomware group in the final quarter of 2022, with more than 20 victims, according to ReliaQuest's Q4 ransomware report.

And the law enforcement action against Hive follows a year in which ransomware gangs remained relatively consistent — GuidePoint Security, in its report published today, said each quarter in 2022 saw at least 569 victims. 

 According to Google's Mandiant Threat Intelligence team, the Hive takedown "won't cause a serious drop in overall ransomware activity." 

"Unfortunately, the criminal marketplace at the heart of the ransomware problem ensures a Hive competitor will be standing by to offer a similar service in their absence, but they may think twice before allowing their ransomware to be used to target hospitals," Mandiant's head of threat intel John Hultquist told The Register.

"Actions like this add friction to ransomware operations," he added. "Hive may have to regroup, retool, and even rebrand. When arrests aren't possible, we'll have to focus on tactical solutions and better defense. Until we can address the Russian safehaven and the resilient cybercrime marketplace, this will have to be our focus."

When asked about Hive's ties to the Kremlin during today's press conference, Garland declined to answer, noting "we're in the middle of an ongoing investigation." ®

More about


Send us news

Other stories you might like