U.S. and European Police Dismantle Hive Ransomware Group

Reading Time: 2 minutes
  • U.S. and European law enforcement agencies have dismantled the activity of the Hive ransomware group
  • Hive used ransomware to solicit more than $100 million in cryptocurrencies from victims
  • The FBI has been handing out decryption keys to victims since it infiltrated the group in July 2022

The Department of Justice (DoJ) yesterday announced that it has successfully disrupted the operations of the Hive ransomware group, which has targeted over 1,500 victims in 80 countries worldwide. The Federal Bureau of Investigations (FBI) infiltrated Hive’s networks in July 2022, captured its decryption keys, and offered them to victims, preventing them from having to pay $130 million in ransom. It has now, in association with foreign police agencies, seized control of the servers and websites that Hive used to communicate with its members, disrupting Hive’s ability to attack and extort victims.

Hive Victims Numbered 1,500 Worldwide

Hive operated using a ransomware-as-a-service (RaaS) model, which involved developers creating a strain of ransomware and an easy-to-use interface for affiliates to deploy it. The affiliates then targeted victims and earned a percentage of each successful ransom payment, paid in cryptocurrency. For over a year the group was able to solicit over $100 million in crypto ransom payments from more than 1,500 victims worldwide.

Hive actors used a double-extortion model, where they stole sensitive data before encrypting the victim’s system and then demanded a ransom for both the decryption key and a promise not to publish the stolen data. They often targeted the most sensitive information to increase pressure on victims to pay, with the ransom split 80/20 between the affiliates and administrators. Victims who did not pay had their data published on the Hive Leak Site.

FBI Handed out Decryption Keys

Since infiltrating the group last year the FBI has provided over 300 decryption keys to current victims and 1,000 additional keys to previous victims. In coordination with German and Dutch law enforcement, the department recently seized control of the servers and websites that Hive used to communicate with its members, effectively shutting down its ability to attack and extort victims.