The United States Justice Department announced yesterday it has successfully disrupted a global ransomware group known as Hive, which has claimed over 1,500 victims in more than 80 countries.
The group, which has targeted hospitals, school districts, financial firms, and critical infrastructure, has been under investigation by the FBI since July 2022. In a coordinated effort with German and Dutch law enforcement agencies, the FBI was able to infiltrate Hive's computer networks, capture its decryption keys, and offer them to victims worldwide. This prevented victims from having to pay the US$130 million in ransom Hive had demanded.
Since infiltrating Hive's network in July 2022, the FBI has provided over 300 decryption keys to victims who were under attack and an additional 1,000 keys to previous victims. The Justice Department also announced that it has seized control of the servers and websites used by Hive to communicate with its members, effectively disrupting the group's ability to attack and extort victims.
“The Justice Department dismantled an international ransomware network responsible for extorting and attempting to extort hundreds of millions of dollars from victims in the United States and around the world,” says Attorney General Merrick B. Garland. “Cybercrime is a constantly evolving threat. But as I have said before, the Justice Department will spare no resource to identify and bring to justice, anyone, anywhere, who targets the United States with a ransomware attack.”
Hospitals had to ditch digital in ransomware attacks
Since June 2021, the Hive ransomware group has targeted more than 1,500 victims around the world and received over US$100 million in ransom payments.
Hive ransomware attacks have caused major disruptions in victims' daily operations around the world and affected responses to the COVID-19 pandemic. In one case, a hospital attacked by Hive ransomware had to resort to analogue methods to treat existing patients and could not accept new patients immediately following the attack.
Hive used a ransomware-as-a-service (RaaS) model featuring administrators, sometimes called developers, and affiliates. RaaS is a subscription-based model where the developers or administrators develop a ransomware strain and create an easy-to-use interface with which to operate it, and then recruit affiliates to deploy the ransomware against victims. Affiliates identified targets and deployed this readymade malicious software to attack victims and then earned a percentage of each successful ransom payment.
Deputy Attorney General Lisa O. Monaco says: “The Department of Justice’s disruption of the Hive ransomware group should speak as clearly to victims of cybercrime as it does to perpetrators. In a 21st-century cyber stakeout, our investigative team turned the tables on Hive, swiping their decryption keys, passing them to victims, and ultimately averting more than US$130 million dollars in ransomware payments. We will continue to strike back against cybercrime using any means possible and place victims at the centre of our efforts to mitigate the cyber threat.”
The coordinated disruption of Hive’s computer networks shows what authorities can accomplish with operations that hit adversaries hard, says FBI Director Christopher Wray. “The FBI will continue to leverage our intelligence and law enforcement tools, global presence, and partnerships to counter cybercriminals who target American business and organisations."
Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division says: “Our efforts, in this case, saved victims over a hundred million dollars in ransom payments and likely more in remediation costs. This action demonstrates the Department of Justice’s commitment to protecting our communities from malicious hackers and to ensuring that victims of crime are made whole. Moreover, we will continue our investigation and pursue the actors behind Hive until they are brought to justice.”