After seven months spent lurking inside a notorious ransomware group’s networks, swiping decryption keys for its victims, the FBI and international partners seized infrastructure behind Hive ransomware attacks.
Since June 2021, Hive has targeted more than 1,500 victims globally, including disrupting health care providers during the height of the COVID-19 pandemic. Victims paid more than $100 million in ransom to the group, which attacked a U.S. victim in Florida as recently as 15 days ago, according to Attorney General Merrick Garland.
The successful international operation against the group, considered a top-five ransomware threat by the FBI, is a major victory for the ongoing and frustrating battle against the scourge or ransomware that costs victims hundreds of million of dollars annually.
While staking out Hive’s network, the FBI disrupted multiple attacks, including ones against a Louisiana hospital, a food services company and a Texas school district. The investigation led to two servers in Los Angeles that FBI agents took down with a court order Wednesday night. Law enforcement from the Netherlands and Germany contributed to the operation.
“In a 21st-century cyber stakeout, our investigative team turned the tables on Hive, swiping their decryption keys, passing them to victims, and ultimately averting more than $130 million dollars in ransomware payments,” Deputy Attorney General Lisa O. Monaco said during a press conference Thursday. “Simply put, using lawful means we hacked the hackers.”
Like many other groups, Hive offered its ransomware through a ransomware-as-a-service model through which affiliates could easily subscribe to use the group’s malware strains and infrastructure to deploy attacks. Hive actors used what cybersecurity experts call a “double extortion” model, which means exfiltrating victims’ data before encrypting their systems. If the victims don’t pay, the hackers threaten to release their data publically.
Only 20% of the victims that FBI agents observed while staking out the Hive network reached out to law enforcement, according to FBI Director Christopher Wray. “Fortunately, we were still able to identify and help many victims who didn’t report but that is not always the case,” said Wray. “When victims report attacks to us, we can help them and others, too.”
No charges against Hive developers were brought, however, Wray said that the U.S. will continue to work with international partners to seize additional Hive infrastructure and arrest developers and affiliates.
The Hive takedown is reflective of the Justice Department’s strategy to go after hacking infrastructure first, disrupting attacks and clawing back victim losses. Wray pointed to the FBI obtaining and sharing decryption keys for victims of an attack on Kaseya by the Russian ransomware gang REvil. Arrests of ransomware actors are rare due to many living in Russia, a known safe haven for cybercriminals. In November, the Justice Department worked with Canadian police to arrest a dual Russian and Canadian national for allegedly participating in LockBit ransomware attacks.
Still, the FBI’s operation is a significant blow to the group, researchers say. “Actions like this add friction to ransomware operations,” said John Hultquist, head of Mandiant Threat Intelligence at Google Cloud. “Hive may have to regroup, retool, and even rebrand. When arrests aren’t possible, we’ll have to focus on tactical solutions and better defense. Until we can address the Russian safe haven and the resilient cybercrime marketplace, this will have to be our focus.”
It’s possible that like many ransomware groups, Hive affiliates could scatter or reorganize under a different name. “In the past we’ve seen them employ CONTI and MOUNTLOCKER among others,” said Kimberly Goody, a senior manager at Mandiant. “This shows that some actors already have relationships within the broad ecosystem that could enable them to easily shift to using another brand as part of their operations.”
Hive accounted for over 15% of ransomware intrusions that Mandiant responded to in 2022, with 50%of its public victims being based in the U.S. The company has observed malicious hackers rewriting their ransomware in mid-2022, suggesting that the group is attempting to evade detection.
Elias Groll contributed reporting.