The US Department of Justice has spent months infiltrating and disrupting the Hive ransomware group, the agency announced on Thursday. The DOJ says Hive has targeted over 1,500 victims in more than 80 countries, extorting hundreds of millions of dollars in ransom payments.
Working with German and Netherlands law enforcement, the FBI seized Hive’s servers and websites, allegedly slowing the group’s ability to attack and extort new victims. It first infiltrated Hive’s network in July 2022, providing over 300 decryption keys to Hive’s current victims and more than 1,000 keys to previous victims — preventing over $130 million in ransom payments. The agency hasn’t announced any arrests. However, it’s still investigating the group, according to NBC News.
Hive used a ransomware-as-a-service (RaaS) model, where administrators (essentially the ringleaders) create ransomware strains with easy-to-use interfaces. The administrators then recruit affiliates who use the ransomware software to carry out the theft — and likely much of the risk.
For example, Hive would steal a victim’s data and encrypt their system. The affiliate would then demand a ransom in exchange for the decryption key and a promise not to publish the data. (Of course, it would frequently target the most sensitive data to apply maximum pressure.) If the victims pay, affiliates and administrators would split the ransom 80 / 20. Those unwilling to pay would find their data leaked on the web.
The US Cybersecurity and Infrastructure Security Agency (CISA) says Hive gained access through single-factor logins via Remote Desktop, VPNs, exploiting FortiToken (software-based access key) vulnerabilities and phishing emails with malicious attachments.
“Last night, the Justice Department dismantled an international ransomware network responsible for extorting and attempting to extort hundreds of millions of dollars from victims in the United States and around the world,” said US Attorney General Merrick Garland today. “We will continue to work both to prevent these attacks and to provide support to victims who have been targeted. And together with our international partners, we will continue to disrupt the criminal networks that deploy these attacks.” The FBI recommends victims contact their local FBI field office.