The FBI secretly infiltrated the Hive network and, in addition to key servers and decryption keys, even took over the Hive group's leak page on the dark web. In doing so, the FBI, the German BKA, the Baden-Württemberg police and Europol thwarted ransom demands of over 130 million US dollars.
The US Department of Justice announced that its month-long disruption campaign against the Hive ransomware group has now borne fruit. The ransomware group was responsible for more than 1.500 victims in over 80 countries. Including hospitals, school districts, financial companies and critical infrastructure (KRITIS). The action was a joint effort by the FBI, the German BKA, the Baden-Württemberg police and Europol.
1.300+ decryption keys for Hive victims
As early as late July 2022, the FBI penetrated Hive's computer networks, captured its decryption keys and handed them over to the victims. As a result, $130 million in the ransom demanded has already gone unpaid. Since infiltrating Hive's network in July 2022, the FBI has released over 300 decryption keys to Hive victims who were targeted. In addition, the FBI distributed over 1.000 additional decryption keys to previous Hive victims.
Finally, the department announced today that, in coordination with the German law enforcement authorities (Bundeskriminalamt, CID Esslingen) and the Dutch National High Tech Crime Unit, it has taken control of the servers and websites that Hive uses to communicate with its members, thereby increasing the Hive's ability to attack and blackmail victims has been disabled.
21st Century Cyber Surveillance
"The Justice Department's disruption of the Hive ransomware group should speak as loudly to victims of cybercrime as it does to perpetrators," said Assistant Attorney General Lisa O. Monaco. “In a 21st century cyber-surveillance, our investigative team turned the tables by stealing Hive's decryption keys and giving them to victims, ultimately preventing over $130 million in payments for ransomware. We will continue to do everything we can to combat cybercrime and put victims at the center of our efforts to reduce the cyber threat.”
Hive even blackmailed hospitals
Hive ransomware attacks have significantly disrupted the daily operations of victims around the world and impacted responses to the COVID-19 pandemic. In one case, a hospital attacked by Hive ransomware had to resort to analogous methods to treat existing patients and was unable to accept new patients immediately after the attack.
Hive used a ransomware-as-a-service (RaaS) model with administrators and affiliates. RaaS is a subscription-based model, where developers build ransomware and create an easy-to-use interface. Partners are then recruited to use the ransomware against victims. The partners identified targets and deployed the ready-made malicious software to attack victims. The Hive group then earns a percentage on each successful ransom payment.
Hive model used double blackmail
Hive actors used a double extortion attack model. Before encrypting the victim system, the partner should exfiltrate or steal sensitive data. The partner then demanded a ransom both for decrypting the system and for a promise not to publish the stolen data. After a victim pays, partners and admins split the ransom 80/20. Hive published the data of victims who didn't pay on its leak page.
More at Justice.gov