International ransomware syndicate Hive has met its end. Hive’s leak site, a website to post Hive’s victims, as well as the Application Programming Interface (API) of its server, were seized by US authorities.
The Hive ransomware gang has been infiltrated and taken down by the Federal Bureau of Investigation, after what the US feds are calling a month-long “cyber stakeout.”
The FBI cyber-coup thwarted over $130 Million in ransom demands by swiping Hive’s decryption keys and then passing them along to its victims, the US Department of Justice (DOJ) confirmed.
“Our efforts in this case saved victims over a hundred million dollars in ransom payments and likely more in remediation costs,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division.
“This action demonstrates the Department of Justice’s commitment to protecting our communities from malicious hackers and to ensuring that victims of crime are made whole. Moreover, we will continue our investigation and pursue the actors behind Hive until they are brought to justice,” Polite Jr. said.
The investigation was a coordinated effort between US government agencies and Europol, including German and Netherlands high-tech intelligence units.
Users trying to visit the Hive ransomware gangs’ website were met with a notice of seizure on Thursday.
A “last modified” time stamp on Hive's server indicates the takedown took place around 12 PM GMT on 26 January.
According to the Cybernews researcher team, the Hive server's Application Programming Interface (API) has also been seized by the authorities, indicative of a complete takedown of the gang's infrastructure.
The former Hive landing page read, “The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Hive Ransomware,” in both English and Russian languages.
“Hive ransomware attacks have caused major disruptions for more than 1,500 victims in over 80 countries around the world, including hospitals, school districts, financial firms, and critical infrastructure, and affected responses to the COVID-19 pandemic,” the DOJ stated.
The gang often used a ransomware technique known as double extortion.
This is when the attacker not only encrypts the victim's network systems, demanding a ransom in exchange for a decryption key – but also threatens to publicly release the data found by the attackers when they infiltrated the network unless the victim pays again.
Now confirmed, the seizure marks the end of another major ransomware group. Other major criminal syndicates such as Conti, DarkSide, and REvil were hit by authorities or disbanded themselves in recent years.
However, taking over gang’s IT infrastructure rarely impacts people behind it. Ransomware gangs rebrand and continue operation under different names. For example, Conti members formed BlackBasta, while DarkSide first became BlackMatter, renaming to BlackCat/ALPHV later on.
Hive ransomware was first observed in June 2021 and has victimized hundreds of businesses since the start of its operations. Similarly to other ransomware gangs, Hive employed a ransomware-as-a-service (RaaS) model through its affiliate program.
Hive rocked the ransomware market from the very beginning, hacking Europe’s largest consumer electronics retailer MediaMarkt and demanding a whopping $240m ransom payment.
Security researchers considered the group to be among the most active in 2022. According to researchers at Intel471, the group recorded around 9% of reported ransomware attacks in the third quarter of 2022.
While some ransomware syndicates at least pretend to avoid attacking healthcare institutions, Hive thrived on targeting hospitals. For example, the group hit a Louisiana hospital late last year, impacting 270,000 patients.
Last November, the Russia-linked ransomware group topped the US authorities’ list of threats, having extorted some $100 million from more than 1,300 companies worldwide since it first surfaced.
CISA added that since June last year, it has observed threat actors using Hive ransomware “to target a wide range of businesses and critical infrastructure sectors” – especially healthcare facilities.
More from Cybernews:
Subscribe to our newsletter