The FBI collaborated with German and Dutch law enforcement groups to seize control of Hive servers and websites that the cyber criminal group used for communicating with its members. The DOJ said that disrupting the gang’s digital infrastructure has interrupted Hive’s ability to pursue victims.
The FBI made its move after first penetrating Hive’s networks in late July 2022 and spending ensuing months in the system.
During that time, FBI members stole decryption keys and provided them to Hive victims. In more than 300 instances, the FBI was able to provide the keys to victims undergoing Hive attacks. Law enforcement delivered the tools before victims paid extortion, effectively heading off about $130 million in potential ransom payments, Deputy Attorney General Lisa O. Monaco said in a statement.
In one instance, the FBI helped a Texas school district facing a $5 million ransom demand, and, in another, a Louisiana hospital facing a $3 million ransom demand, U.S. Attorney General Merrick Garland said in published remarks.
The FBI also provided decryption keys to more than 1,000 entities that had been previously victimized by Hive, the DOJ said.
This new move may indicate a shift for the FBI. The agency previously came under critique for how it balanced investigative efforts against victims’ needs. After ransomware group REvil hit IT software provider Kaseya with a July 2022 attack, the FBI waited several weeks before disclosing that it had obtained the decryption keys.
According to the Washington Post, the FBI had held off to avoid tipping its hand to REvil about having gained access to the cyber criminals’ servers. During a November 2021 House committee hearing, FBI Cyber Division Assistant Director Bryan Vorndran said the FBI had needed a delay to give it time to vet the security of the decryption tools, to ensure they did not contain malicious code.
Hive targeted more than 1,500 victims globally since June 2021 and extorted more than $100 million during that time, per the DOJ. The gang practices double-extortion in which it both exfiltrates and encrypts data, then demands one payment to decrypt the files and a second payment in exchange for not publishing them.
“We will continue our investigation and pursue the actors behind Hive until they are brought to justice,” said Assistant Attorney General Kenneth A. Polite Jr. of the Justice Department’s Criminal Division.