In July, the FBI confiscated the group’s infrastructure as part of an international law enforcement operation, including their Tor payment and data leak sites.

Six months of covert surveillance of the Hive ransomware gang’s infrastructure was revealed by the U.S. Department of Justice and Europol in January 2023.

This operation enabled them to detect impending attacks, alert targets, and collect and distribute decryption keys to victims, saving an estimated $130 million in ransom payments.

According to the Justice Department bulletin, the FBI has been working since late July 2022 to infiltrate Hive’s computer networks, grab its decryption keys, and distribute them to victims worldwide to prevent them from paying the $130 million ransom.

Over 300 Hive victims have been given decryption keys after the FBI infiltrated the Hive network in July 2022. The FBI also sent over a thousand more decryption keys to former Hive inmates.

An application for a warrant states that the FBI accessed three servers at a California hosting provider, two dedicated and one virtual private, by using email addresses believed to belong to members of the Hive.

By working together, the Dutch police could also break into two other Dutch-hosted backup systems.

“This hidden site has been seized. The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Hive Ransomware,” reads the seizure notice.

Thanks to this access, law enforcement verified that the servers in question served as the primary data leak site, negotiation site, and web panels for the operation’s administrators and affiliates.

The FBI verified the accuracy of the information it had obtained through the decryption key operation by comparing it to the database discovered on Target Server 2. This database contained records of communications between Hive members, hash values for malware files, details on 250 affiliates, and victim information.

Germany, Canada, France, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden, and the United Kingdom are some of the nations included in a seizure notice posted on the ransomware group’s Tor domains.

This graphic is an animated GIF alternating between an English and Russian message to alert other ransomware groups.

In other words, who is Hive?

A ransomware-as-a-service, Hive was released by cybercriminals in June of 2021. (RaaS). They often get access to networks by phishing, security flaws in internet-connected devices, or by acquiring credentials.

They compromise a Windows domain controller and exploit it to propagate their ransomware over the network, locking users out of their own devices.

However, unlike other ransomware groups who claim to avoid targeting healthcare institutions, Hive does not pick and choose which targets they attack.

The victims of the ransomware group’s attacks have ranged from the non-profit Memorial Health System to the retail giant MediaMarkt to the telecoms firms Bell Technical Solutions (BTS) and Tata Power to the New York Racing Association.

In November 2022, the FBI said that over 1,500 companies had paid the ransom, bringing the total amount collected from the scheme to almost $100 million since June 2021.