FBI Seized Hive Ransomware Group’s Website and Decryption Keys

After infiltrating the group’s infrastructure last July, the FBI seized Hive ransomware operation’s Tor payment and data leak websites as part of an international law enforcement operation. The United States Department of Justice, in conjunction with Europol, stated that in July 2022, an international law enforcement operation stealthily entered the Hive ransomware group’s infrastructure and began monitoring the operation for six months. The operation enabled the FBI to learn about attacks before they happened, warn targets, and obtain and distribute decryption keys to victims preventing $130 million in ransom payments. After breaching the Hive Ransomware group’s network in July 2022, the FBI delivered over 300 decryption keys to Hive victims who were breached.

Details of Infiltration of Hive Ransomware Group

The FBI acquired access to two dedicated servers and one virtual private server at a hosting provider in California rented using Hive ransomware members’ email addresses, according to a warrant application. Additionally, Dutch authorities acquired access to two dedicated backup servers maintained in the Netherlands as part of a coordinated operation. Law enforcement then determined the servers functioned as the main data leak site, negotiation site, and web panels utilized by the operators and affiliates for the operation. According to a search warrant application, in addition to decryption keys, the FBI discovered records of Hive communications, malware file hash values, and information on Hive’s 250 affiliates. They also discovered victims’ information consistent with information previously obtained through the decryption key operation when it examined the database found on Target Server 2.

The Hive ransomware group’s Tor websites now show a confiscation notice that includes a long list of other countries involved in the law enforcement operation, including Germany, Canada, France, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden, and the United Kingdom. Unlike previous seizure messages law enforcement used, an animated gif showing the message in English and Russian warned other ransomware groups about the operation. The GIF says that the hidden site was seized. As part of a coordinated law enforcement investigation against Hive Ransomware, the Federal Bureau of Investigation seized the site. It also says that the action was taken in collaboration with the United States Attorney’s Office for the Middle District of Florida and the Department of Justice’s Computer Crime and Intellectual Property Section, with significant support from Europol.

The Hive cybercriminal group operates as a ransomware-as-a-service (RaaS) organization, which began operations in June 2021. They have been known to infiltrate companies using phishing tactics, exploiting vulnerabilities in internet-exposed devices, and using acquired credentials. Once inside companies’ networks, threat actors spread to other devices, stealing unencrypted data to be utilized in double-extortion demands. When they acquire administrative access to a Windows domain controller, they spread their ransomware over the network, encrypting all devices. Hive is not picky about who it targets, unlike numerous ransomware operations that claim to avoid emergency services and healthcare organizations. Numerous victims have been targeted by the ransomware group, including the non-profit Memorial Health System, retail giant MediaMarkt, Bell Technical Solutions (BTS), Tata Power, and the New York Racing Association. The FBI reported in November 2022 that the ransomware group produced roughly $100 million from over 1,500 companies since June 2021.

The Federal Bureau of Investigation and other federal agencies will continue to utilize cyber intelligence, law enforcement tools, and global presence to counter ransomware groups targeting businesses and organizations. Additionally, it’s important for global companies to always remain vigilant on the latest threat landscape and regularly update their network security infrastructure. At SpearTip, our certified engineers are continuously working at our 24/7/365 Security Operations Center handling companies’ cyber incident response and monitoring their data networks for potential ransomware threats. By comparing technology and internal personnel, our engineers discover blind spots in companies that can lead to significant compromises. Additionally, our engineers discover vulnerabilities in firewall systems and enable companies to dedicate their valuable resources to evaluate and prioritize fixes by providing visibility of actual gaps, including existing false negatives.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.