The U.S. Department of Justice and Europol announced that law enforcement authorities in more than a dozen countries in Europe and North America have joined to disrupt the activities of the ransomware group Hive. targeted a variety of organizations around the world over the past several years, often believed to have coerced payments in cryptocurrency.
The captured decryption keys helped Hive victims avoid paying a $130 million ransom
Hive, a ransomware network that has claimed approximately 1,500 victims in more than 80 countries, suffered a months-long disruption operation, the U.S. Department of Justice (DOJ) and the European Union Law Enforcement Cooperation Agency (Europol) have revealed. A total of 13 countries participated in the operation, including EU member states, the United Kingdom, and Canada.
Hive has been identified as a major cybersecurity threat because it is used by relevant actors to compromise and encrypt data and computer systems of EU and US government facilities, oil multinationals, and IT and telecom companies, Europol stated. Hospitals, schools, financial institutions, and critical infrastructure have been targeted, the DOJ noted.
It is one of the most prolific ransomware threats, having collected at least $100 million from victims since its launch in 2021, Chainalysis noted. A recentreport by a blockchain forensics firm found that revenues from these attacks have declined in the past year as a growing number of victim organizations have refused to pay the ransoms demanded.
Law enforcement officials say the U.S. Federal Bureau of Investigation (FBI) broke into Hive’s computers in July 2022, captured its decryption keys, and prevented it from paying another $130 million by providing them to victims worldwide.
Working with the German Federal Police and the Dutch High Tech Crime Unit, the FBI is now in control of the servers and websites that Hive used to communicate with its members and victims, including the darknet domain where the stolen data was sometimes posted… FBI Director Christopher Wray is quoted as saying.
The systematic destruction of the Hive’s computer network… . shows what can be accomplished by combining a relentless search for useful technical information to share with victims.”
Ransomware Hive was created, maintained, and updated by developers while being employed by affiliates in a dual robbery model of “ransomware-as-a-service” (RaaS), the European Police Agency explained. The affiliates would first copy the data, then encrypt the files, and then demand a ransom to decrypt the information so that it would not be published on the leaked site.
The attackers exploited various vulnerabilities and used a number of methods, including single-factor login with RTM.