Hive Ransomware Operations Thwarted by FBI and Europol

On January 26, 2023, the Federal Bureau of Investigation (FBI), along with the US Department of Justice and Europol, announced that a successful campaign to infiltrate Hive ransomwares infrastructure and disrupt operations had been carried out. Hive ransomware had developed a reputation for targeting hospitals, school districts, financial firms, and critical infrastructure and targeted more than 1,500 victims in over 80 countries around the world.

The months-long operation, which started in July 2022, resulted in law enforcement successfully gaining access to Hive’s network and the decryption keys.

Hive Ransomware Operations Thwarted by FBI and Europol

This information was shared with over 300 victims of Hive attacks, preventing the victims from handing over a combined 130 million USD to ransomware operators. A further 1000 decryption keys were given to other victims of the ransomware gang.

It was also announced that in a combined effort with German law enforcement (the German Federal Criminal Police and Reutlingen Police Headquarters-CID Esslingen) and the Netherlands National High Tech Crime Unit, officials had seized control of the servers and websites used by ransomware operators to communicate with the ransomware’s administrators and victims.

Commenting on the operation Attorney General Merrick B. Garland stated,

“Last night, the Justice Department dismantled an international ransomware network responsible for extorting and attempting to extort hundreds of millions of dollars from victims in the United States and around the world…Cybercrime is a constantly evolving threat. But as I have said before, the Justice Department will spare no resource to identify and bring to justice, anyone, anywhere, who targets the United States with a ransomware attack. We will continue to work both to prevent these attacks and to provide support to victims who have been targeted. And together with our international partners, we will continue to disrupt the criminal networks that deploy these attacks.”

FBI Director Christopher Wray also provided insight into the FBI’s commitment to combating ransomware operations by stating,

“The coordinated disruption of Hive’s computer networks, following months of decrypting victims around the world, shows what we can accomplish by combining a relentless search for useful technical information to share with victims with investigation aimed at developing operations that hit our adversaries hard…he FBI will continue to leverage our intelligence and law enforcement tools, global presence, and partnerships to counter cybercriminals who target American business and organizations.”

Hive and Ransomware-as-a-Service

Hive began operations in July 2021 and up until now had earned over 100 million USD in ransomware payments from victims. Those who developed the ransomware were quick to adopt the Ransomware-as-a-Service (RaaS) model, where affiliates are granted the use of the ransomware to infect victims and the developers, also sometimes called administrators charge a subscription fee to use the model or receive a portion of the proceeds of a successful attack.

Often the developer provides an easy-to-use interface to facilitate easier use of the ransomware payload then affiliates are found to deploy the ransomware on machines compromised by the affiliates.

In the case of Hive, it is believed that proceeds are split 80/20 favoring the affiliates. This is often the case as affiliates tend to take on more risk for their actions.

Hive also adopted the double extortion tactic. This involves data being exfiltrated before encryption of data occurs. The stolen data is then used to further put pressure on the victims as the threat actor threatens to release the data to the public or sell it to the highest bidder.

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), initial access to a victim’s infrastructure is gained in several ways. As to how initial access is gained in the wild it was noted,

“Hive affiliates have gained initial access to victim networks through a number of methods, including: single factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols; exploiting FortiToken vulnerabilities; and sending phishing emails with malicious attachments.”

Following an increased focus on combatting the threat posed by ransomware in North American and European countries news of several successful operations to hack back ransomware operators, or seize assets related to ransomware operations, there is a fear that ransomware operators will shift to targeting the global south.

Security researchers have noted that countries in South America and Africa may be the new favored geographies for sourcing victims. In 2021, South Africa’s Transnet, the parastatal responsible for facilitating rail and port operations, suffered a ransomware attack which severely impacted operations critical to that country’s economy.

Given the increased pressure applied by law enforcement in the North, incidents like this might become far more frequent, especially in economies with perceived bigger problems than securing IT infrastructure.

Severe disruptions to critical infrastructure in these economies can result in severe economic distress to already struggling economies.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal