‘We hacked the hackers:’ DOJ, FBI take down Hive ransomware after spending months inside gang systems

The FBI and Justice Department took down the infrastructure of the Hive ransomware group on Thursday, announcing that their agents had been inside the group’s systems since July 2022.

FBI Director Christopher Wray said agents gained “clandestine, persistent access” to the control panel used by Hive operators seven months ago, allowing them to identify victims and offer decryption keys to more than 1,300 of them around the world and prevent at least $130 million in ransom payments. 

“Unbeknownst to Hive, in a 21st century cyber stakeout, our investigative team lawfully infiltrated Hive’s network and hid there for months, repeatedly swiping decryption keys and passing them on to victims to free them from ransomware,” Deputy Attorney General Lisa Monaco said during a press conference on Thursday. 

“For months, we helped victims defeat their attackers and deprived the Hive network of extortion profits. Simply put, using lawful means, we hacked the hackers. We turned the tables on Hive and we busted their business model.”

The agencies said Hive has targeted 1,500 victims in more than 80 countries since emerging in June 2021, and Attorney General Merrick Garland listed off dozens of specific instances where they were able to help victims deal with a ransomware attack, noting the group’s affinity for targeting schools and hospitals during the COVID-19 pandemic. 

The group made at least $100 million in its first year of operation. 

“The FBI disrupted a Hive ransomware attack against a Texas school district's computer systems and the bureau provided decryption keys to the school district, saving it from making a $5 million ransom payment,” Garland said. 

“That same month, the FBI disrupted a Hive ransomware attack on a Louisiana hospital, saving the victim from a $3 million ransom payment. The FBI was also able to disrupt an attack on a food services company, providing the company with decryption keys and saving the victim from a $10 million ransom payment.”

Wray said the operation was done in cooperation with Europol as well law enforcement agencies in Germany, the Netherlands, Canada, France, Ireland, Lithuania, Norway, Portugal, Romania, Spain, Sweden and the U.K.

The FBI said it provided more than 300 decryption keys to Hive victims currently under attack and over 1,000 keys to previous victims. 

Garland said they decided to finally disrupt the group’s systems after finding computer servers located in Los Angeles that were used by Hive actors to store critical information. They seized the servers on Wednesday night and shut down the Hive darknet site. A seizure notice from several U.S. and international agencies now appears on the group’s leak site.  

“The coordinated disruption of Hive’s computer networks, following months of decrypting victims around the world, shows what we can accomplish by combining a relentless search for useful technical information to share with victims with investigation aimed at developing operations that hit our adversaries hard,” Wray said. 

He noted that during their time in Hive’s systems, they found that only about 20% of victims reported their ransomware incidents to law enforcement, highlighting the persistent issue of victims simply not coming forward and instead paying ransoms.

Europol said that Hive’s success was rooted in its "ransomware-as-a-service" model, where affiliates received 80% of a ransom and the developers of the ransomware received the other 20%.  

They noted that operational meetings were held in Portugal and the Netherlands to support the operation – providing links to “available data to various criminal cases within and outside the EU, and supported the investigation through cryptocurrency, malware, decryption and forensic analysis.”

No arrests were announced and Garland declined to comment when asked whether any were expected. But Europol said four experts were deployed to “coordinate the activities on the ground.”

Wray told reporters that “anybody involved with Hive should be concerned because this investigation is very much still ongoing.” He added that those involved may face trial in the U.S. or in Europe. 

Wray noted that the FBI’s work in this case was special because they have never had this kind of access to a ransomware group’s backend. 

“I'm not sure we've had one that's been quite this scale in terms of the sheer number of keys we've been able to get access to and the sheer number of victims we've been able to help over this period of time,” he said. 

“More and more I think you can expect to see... situations where impact is achieved by more than just arrests, where we're doing things like getting keys to victims, taking down infrastructure and seizing cryptocurrency,” he said.