Getty Images/EyeEm

FBI hacked into Hive ransomware gang, disrupted operations

The FBI infiltrated Hive's network in July 2022 and obtained decryption keys, which it distributed to victims to prevent $130 million in ransom payments, according to the DOJ.

Hive ransomware servers were seized in an international law enforcement operation led by the FBI, the U.S. Department of Justice announced in a press conference Thursday.

Reports of the takedown first came Thursday morning when security researchers noted on Twitter that Hive's dark web leak site had been replaced by an apparent takedown notice from various law enforcement agencies. Shortly after, the Department of Justice (DOJ) held a press conference in which Attorney General Merrick Garland announced that the FBI Wednesday night acted on a court order to seize servers containing the criminal network's "critical information." Moreover, the department was given authorization to seize Hive's leak site.

Alongside Garland, the press conference was led by Deputy Attorney General Lisa Monaco and FBI director Christopher Wray. The conference was accompanied by a press release, and Europol published a press release of its own. Garland thanked Europol during the conference as well as other international partners, including Germany and the Netherlands.

Hive is a ransomware-as-a-service operator that first emerged in June 2021 and claimed hundreds of victims in its first months. According to the Justice Department's press release on the takedown, Hive has "targeted more than 1,500 victims in over 80 countries around the world, including hospitals, school districts, financial firms, and critical infrastructure."

The press conference revealed that the FBI penetrated Hive's networks in July 2022, capturing decryption keys and offering them to victims worldwide. According to Garland, this work stopped victims from paying $130 million in ransoms, representing 300 decryption keys distributed to Hive victims under attack and 1,000 additional keys to prior victims.

"Simply put, using lawful means, we hacked the hackers," Monaco said regarding the FBI's penetration of Hive's networks.

A Hive ransomware takedown notice.
A takedown notice published on Hive's ransomware dark web leak site by the U.S. Department of Justice.

None of the speakers shared details of any arrests involving Hive ransomware operators. When asked during a press Q&A, Garland declined to comment, noting that the investigation was ongoing.

Monaco said these actions make it clear "that we will strike back against cybercrime using any means possible" and that the DOJ pledges to put victims at the center of its strategy. The deputy attorney general also urged ransomware victims to come forward.

"It pays to come forward and to work with us," she said. "We are all in this together. We need your help to stop cyber criminals to prevent future victims. And in exchange, we pledge our tireless efforts to help you protect your systems and to prevent or recover losses. When a victim steps forward, it can make all the difference in recovering stolen funds or obtaining decryptor keys."

Wray similarly urged ransomware victims to step forward, noting that since July, the FBI had found that only 20% of Hive victims reported ransomware to law enforcement agencies. He added that while the DOJ operates to protect the country, the fight against cybercrime is a global one.

"Reminder to cyber criminals: no matter where you are and no matter how much you contort and try to twist and turn to cover your tracks, your infrastructure, your criminal associates, your money and your liberty are at risk, and there will be consequences," he said.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Data security and privacy