Justice 'Hacked the Hackers' of Hive Ransomware, Stopping $130M in Demands

After a months-long effort, the Department of Justice has disrupted the Hive ransomware group—which the FBI labeled a top 5 ransomware threat—according to an announcement on Thursday.

The efforts of the DOJ and international partners “hacked the hackers,” hindering $130 million in ransom demands, according to Deputy Attorney General Lisa O. Monaco.

Hive ransomware group went after more than 1,500 victims in 80-plus countries, the announcement noted. Victims included hospitals, school districts, financial firms and critical infrastructure. 

These attacks have greatly disrupted victims’ operations, such as impacting a hospital’s response to COVID-19, the DOJ stated. Specifically, one hospital had to use analog methods to treat existing patients and could not accept new patients after the attack. 

“Last night, the Justice Department dismantled an international ransomware network responsible for extorting and attempting to extort hundreds of millions of dollars from victims in the United States and around the world,” Attorney General Merrick B. Garland said in a press release. “Cybercrime is a constantly evolving threat. But as I have said before, the Justice Department will spare no resource to identify and bring to justice anyone, anywhere, who targets the United States with a ransomware attack. We will continue to work both to prevent these attacks and to provide support to victims who have been targeted. And together with our international partners, we will continue to disrupt the criminal networks that deploy these attacks.”

The FBI infiltrated Hive’s networks in July 2022 and remained to capture the group’s decryption keys. The FBI provided more than 300 decryption keys to victims under attack and more than 1,000 decryption keys to previous victims, preventing victims from having to pay $130 million in ransom demands. Beginning in June 2021, the ransomware group was able to extort more than $100 million in ransom payments, before the FBI operation.

As noted in the announcement, Hive utilized a ransomware-as-a-service, or RaaS, model that included administrators—occasionally called developers—and affiliates. According to the announcement, RaaS is a subscription model where the developers or administrators create a ransomware strain and a user-friendly interface from which to operate it.  Affiliates then deployed the ransomware on targeted victims, enabling them to split the ransom with administrators 80:20. 

According to the Cybersecurity and Infrastructure Security Agency, Hive accessed victims’ networks through a variety of methods, such as: single factor logins via Remote Desktop Protocol, virtual private networks and other remote network connection protocols; exploiting vulnerabilities in Fortinet’s mobile software token application; and sending phishing emails with malicious attachments.

Additionally, Hive used the double-extortion attack model: before encrypting the victim’s system, the affiliate would extract the sensitive data, enabling them to ask for ransom to both decrypt the system and to not publish the stolen data. According to the DOJ, Hive often focused on the victim’s most sensitive data to increase payment pressure and would publish non-ransom paying victims’ data on the Hive Leak Site.

“Unbeknownst to Hive, in a 21st century cyber stakeout, our investigative team lawfully infiltrated Hive’s network and hid there for months—repeatedly swiping decryption keys and passing them to victims to free them from ransomware,” Deputy Attorney General Lisa O. Monaco said in a speech. “For months, we helped victims defeat their attackers and deprived the Hive network of extortion profits. Successful actions like the one we announce today require the creative use of civil and criminal authorities, and they require partnerships—among law enforcement to be sure—but also with victims. Our actions in this investigation should speak clearly to those victims: it pays to come forward and work with us.”

In conjunction with German law enforcement—the German Federal Crime Police and Reutlingen Police Headquarters-CID Esslingen—and the Netherlands National High Tech Crime Unit, the international group of law enforcement agencies took control of the servers and websites that Hive members used to coordinate with each other, thus disrupting the group’s ability to operate and attack.

“The coordinated disruption of Hives’s computer networks, following months of decrypting victims around the world, shows what we can accomplish by combining relentless search for useful technical information to share with victims, with investigation aimed at developing operations that hit our adversaries hard,” FBI Director Christopher Wray said.

The partnerships allowed them to track the ransom payments made through blockchain and seize them to return to victims; dismantle the Hive networks; warn Hive targets; and disrupt the criminal ecosystem.

The FBI Tampa Field Office, Orlando Resident Agency is investigating the case and the DOJ’s Criminal Division’s Computer Crime and Intellectual Property Section as well as the Middle District of Florida are prosecuting the case. Hive victims were encouraged to contact their local FBI field office.