Explore our Topics:

FBI infiltrates ransomware gang HIVE

“We hacked the hackers,” FBI announces after taking down ransomware gang that has extorted over $100 million dollars from the healthcare industry. 
By admin
Feb 1, 2023, 9:30 AM

The FBI announced on Thursday that they have successfully infiltrated the ransomware gang Hive and shut down its leak site after a months-long investigation.  

Hive is one of the world’s biggest ransomware threats and has targeted over 1,500 organizations in 80 countries and has extorted an estimated $100 million.  

But, for all the group’s technical prowess, it could not outfox our prosecutors, our agents, and our international law enforcement coalition,” Deputy Attorney General Lisa O. Monaco said in her remarks. 

In July of 2022, FBI agents from the Tampa Division infiltrated the Hive network and took their decryption keys. They have successfully thwarted over $130 million in ransom payments and disrupted over 300 attacks by providing the decryption key to victims.  

For months, we helped victims defeat their attackers and deprived the Hive network of extortion profits. Simply put, using lawful means, we hacked the hackers,” Monaco continued.  

The cybergang first made headlines after they took over Illinois-based Memorial Health System’s network in July 2021. The hospital had to revert to paper records for existing patients and was unable to accept new patients at the height of the Covid-19 pandemic.  

Using a ransomware-as-a-service (RaaS), Hive takes over a computer network and holds it hostage until a ransom is paid. This model involves administrators, often referred to as developers, and affiliates.  

Developers create a ransomware strain and its accompanying user interface, and affiliates are employed to execute the attack and receive a percentage of each successful ransom payment.  

Hive actors implemented a double-extortion model—stealing data from victims prior to encryption and then demanding payment to both decrypt the system and refrain from publishing the stolen data. 

Ransomware groups target hospital systems for the wealth of information they have – financial, medical, and intellectual- and often high-pressure, high stakes that result from a hospital database being held hostage. 


Related article: How to respond to a health system cyberattack 


Victims refusing to comply were blackmailed by having their data published on the Hive Leak Site.  

The FBI worked with German law enforcement and Europol to achieve the takedown. Europol reported that in 13 of the 80 countries Hive targeted, law enforcement helped Hive execute their attacks.  

The investigation led agents to two Hive computer servers in Los Angeles that stored critical information. One was a redundant backup system holding their leak sites and victim negotiation portal, and the other was a backend server connecting to Hive’s entire infrastructure and containing records of communication between members, hashes of malware, and data on at least 250 affiliates. 

“Last night, pursuant to a court order, we seized those servers. We also received court authorization to wrest control of Hive’s dark net sites and render its services unavailable,” Attorney General Merrick Garland said in a press conference on Thursday. 

The confiscated servers were associated with three email addresses that have been used by Hive operators.  

Officials announced that while no arrests have been made, they are mapping the location of administrators who handle the software and the associates who execute the attacks. The Department of Health and Human Services (HHS) has reported that Hive is a “possibly Russian speaking” group.  

Without arrests, Hive is far from being dismantled. 

“The disruption of the Hive service won’t cause a serious drop in overall ransomware activity but it is a blow to a dangerous group that has endangered lives by attacking the healthcare system,” said John Hultquist, a vice president of Google-owned cybersecurity firm Mandiant, in a statement.  

“Unfortunately, the criminal marketplace at the heart of ransomware problem ensures a Hive competitor will be standing by to offer a similar service in their absence, but they may think twice before allowing their ransomware to target hospitals.” Hulquist said.  

Jan Lovmand, CTO of BullWall, a ransomware protection provider reacted similarly to the Hive takedown.  

“What is a significant win for law enforcement could, in reality, be a road bump for the Hive Ransomware group. Whenever law enforcement starts paying too significant attention and effort to a particular group, they often scatter or reorganize under a different name. We have seen these seizes before only for a gang to surface with new extortion sites and ransomware names, or sometimes as several smaller groups. In the past they have seen these interruptions as temporary setbacks to a very lucrative business—similar to when a drug cartel has a shipment seized.”  Lovmand said in a statement

Show Your Support


Newsletter Logo

Subscribe to our topic-centric newsletters to get the latest insights delivered to your inbox weekly.

Enter your information below

By submitting this form, you are agreeing to DHI’s Privacy Policy and Terms of Use.