One of the biggest cyber criminal threats of 2022 has now been effectively neutralized, as the US Department of Justice has announced that the Hive ransomware infrastructure is under FBI control. In tandem with several other agencies around the world, an international law enforcement operation has seized servers and obtained the group’s decryption keys.
The FBI reportedly penetrated the group in July 2022, and has been providing victims with decryption keys since. The agency estimates that those hit by Hive ransomware will now keep a cumulative $130 million in their pockets that otherwise would have gone to payments.
Law enforcement operation nabs Hive infrastructure, leads on ransomware affiliates
Hive had become one of the biggest ransomware-as-a-service outfits in the world at the time that the FBI gained access to the group. The bust not only removes the Hive ransomware threat, but also yielded information on 250 of the group’s affiliates. Affiliates are generally the ones that do the actual penetration of target networks, turning operations over to the ransomware gang once they open up a foothold.
While putting an end to Hive ransomware is big, this is unlikely to be the end of the individual group members. Hive was thought to be the landing spot for a number of members of Conti, when the leak of inside intelligence and the threat of law enforcement operations pushed that group to dissolve. Those members, along with other ransomware professionals, will likely re-establish themselves somewhere else before long. As impressive as international law enforcement operations can be in their scope and effectiveness, there is little they can do if the suspects opt to stay in Russia.
Hive ransomware goes down, but new strains appear more rapidly than ever
The FBI says that 300 Hive ransomware victims received decryption keys after being attacked in 2022 and early 2023, before the law enforcement operation captured servers and was disclosed to the public. 1,000 more victims that were hit prior to July 2022 have also been given keys to their locked data. All told, that represents most of the estimated 1,500 victims that Hive hit during their run, but it is not clear how many paid a ransom or had stolen data leaked to the dark web; the group reportedly made about $100 million before it was broken up.
Federal police in the Netherlands and Germany seized servers that the group was using for interfacing with the public and negotiations for ransomware payments, and smaller servers were seized in numerous other countries. The law enforcement operation netted essentially everything the group uses for communication, and between that and the availability of ransomware keys the Hive ransomware is likely done for good.