FBI Secretly Infiltrated Hive Ransomware Group’s Network for 7 Months

The FBI secretly infiltrated the infamous Hive ransomware group over seven months to stymie its attempts to extract funds from hundreds of victims. 

The Justice Department made the announcement(Opens in a new window) after the FBI joined with European law enforcement to shut down the ransomware gang’s servers. This included replacing Hive’s site on the dark web last night with a banner that says the destination has been seized. 

(Credit: FBI)

The FBI infiltrated Hive’s computer networks in July, which allowed federal agents to pilfer hundreds of decryption keys over a seven-month period that victims used to free themselves from Hive ransomware infections. 

“Since infiltrating Hive’s network in July 2022, the FBI has provided over 300 decryption keys to Hive victims who were under attack. In addition, the FBI distributed over 1,000 additional decryption keys to previous Hive victims,” the Justice Department said. The resulting decryption keys likely deprived the Hive gang of $130 million in ransomware payments. 

It’s unclear how the FBI broke into Hive’s networks. During a press conference, US Assistant Attorney General Lisa Monaco would only say: “Simply put, using lawful means we hacked the hackers.”

Federal investigators also uncovered two back-end servers based in Los Angeles that Hive was using to “store the network’s critical information,” US Attorney General Merrick Garland said. The FBI has since seized those servers, using court orders. 

(Credit: Getty Images / Suebsiri Srithanyarat / EyeEm)

However, the Justice Department announced no charges or arrests for any of the individuals who might be running the Hive ransomware gang. So the group could revive its operations soon. Still, it’s possible federal investigators may have identified the masterminds of the group, thanks to infiltrating the gang’s computer networks. 

Hive is likely based in Russia, a country that refuses to extradite criminal suspects to the US. The ransomware gang came on the scene in 2021 and has since targeted over 1,500 victims across the globe and received $100 million in ransomware payments, the DOJ says.

Hive is notorious for attacking health providers. The Justice Department noted in August 2021 that the gang used its ransomware to disrupt operations at a US hospital in the Midwest, forcing it to stop accepting new patients. In addition, the group has targeted school districts, financial companies, and critical infrastructure providers.  

Hive operates as a “ransomware-as-a-service” model, where developers create the ransomware code, which is then leased to cybercriminals, known as “affiliates,” who deploy it against victims.

“Hive actors employed a double-extortion model of attack,” the DOJ adds. “Before encrypting the victim system, the affiliate would exfiltrate or steal sensitive data. The affiliate then sought a ransom for both the decryption key necessary to decrypt the victim’s system and a promise to not publish the stolen data.”

US cyber authorities say(Opens in a new window) the Hive ransomware gang targets victims by using phishing emails loaded with malware or by trying to break into employee accounts for remote access programs or VPNs. The FBI is urging victims of the ransomware gang or others to contact(Opens in a new window) law enforcement to help them crack down on the crimes.