FBI Infiltrates Hive Ransomware Gang, Seizes Leak Website and Decryption Keys

The FBI disrupted the notorious Hive ransomware gang after infiltrating its ranks and covertly monitoring its operation for six months.

The crackdown, with the aid of police in several European countries, led to the seizure of several sites run by the cybercrime gang, including a Tor payment site and several data leak sites.

Hive, a ransomware-as-a-service (RaaS) operation first seen in mid-2021, has launched sophisticated attacks against energy providers, healthcare institutions, retailers and non-profit organizations. According to a previous FBI report, the vicious gang operating the service has amassed a staggering $100 million in just 18 months.

“Since late July 2022, the FBI has penetrated Hive’s computer networks, captured its decryption keys, and offered them to victims worldwide, preventing victims from having to pay $130 million in ransom demanded,” reads the Department of Justice’s press release. “Since infiltrating Hive’s network in July 2022, the FBI has provided over 300 decryption keys to Hive victims who were under attack.”

Reportedly, the FBI gained access to two dedicated servers and a virtual one hosted by a California-based provider, all leased using Hive member email addresses. Dutch authorities also confiscated two backup servers in the Netherlands.

Analyzing evidence on the machines helped authorities establish that the seized websites were, in fact, a negotiation site, a main data leak site, and various web panels employed by the criminals and their associates.

Further examination of the database revealed Hive communication records, additional details on group affiliates, victim information, and malware file hash values, according to the affidavit.

Since the crackdown, Hive’s Tor websites display a police seizure notice outlining several countries that contributed to the operation, including Canada, France, Germany, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden and the United Kingdom.