In a milestone crackdown effort targeting ransomware cybercrime, the US Department of Justice has announced a major victory against notorious ransom gang Hive, seizing its website and massively disrupting the criminal organisations' digital infrastructure.
Hive reportedly operates by stealing sensitive data, such as emails, documents and various media, then encrypting the victim's computer files.
From there, the ransom gang demands a Bitcoin payment in exchange for 'a promise to not publish the stolen data' and a 'decryption key' necessary to restore the files.
According to the Department of Justice (DOJ), a 'months-long' campaign gained significant stride in July 2022 when the FBI penetrated Hive's computer networks, captured its decryption keys and began distributing said keys to victims of Hive ransom attacks.
The campaign, conducted alongside FBI and international law enforcement, was mounted against the Russia-linked group after it committed a string of attacks accumulating approximately $141m (USD$100m) in ransom payments since June 2021.
According to the DOJ, the Russia-linked ransom group has targeted more than 1,500 victims in more than 80 countries, including hospitals, school districts, financial firms and critical infrastructure.
Since its initial infiltration of Hive's network, the FBI said it has provided over 300 decryption keys to global victims of Hive and prevented those attacked from paying $183m (US$130m) in ransom demands.
In an announcement on 26 January, Attorney General Merrick Garland said, "We are here to announce that last night, the Justice Department dismantled an international ransomware network responsible for extorting and attempting to extort hundreds of millions of dollars from victims in the United States and around the world."
"Since July of last year, we provided assistance to over 300 victims around the world, helping to prevent approximately $130 million in ransom payments," he added.
The DOJ also announced (in coordination with German law enforcement and the Netherlands National High Tech Crime Unit) it had 'seized control' of the servers and websites used by Hive's members – disrupting the gang's ability to attack and extort further victims.
"Our continued investigative efforts led us to two back-end computer servers located in Los Angeles that were used by Hive to store the network’s critical information.
“Last night, pursuant to a court order, we seized those servers.
“We also received court authorisation to wrest control of Hive's darknet sites and render its services unavailable," said Garland.
As of 26 January, visiting Hive's seized leak site simply displays a note reading "The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Hive Ransomware," in both English and Russian languages.
"This morning, if a Hive affiliate tries to access their darknet site, this is what they will see," said Garland.
Hive labelled a top 5 ransom threat
Hive has routinely appeared in cyber security headlines over the past 18 months and is most infamously credited for repeated attacks against healthcare, such as the 2021 attack which crippled American healthcare organisation Memorial Health System, forcing surgeries to be cancelled and clinic staff to work from paper charts.
While Hive's criminal exploits have been lucrative, the group has ultimately attracted the ire of multiple law enforcement agencies, including the FBI.
"The FBI has labelled Hive a top 5 ransomware threat — both for its technical sophistication and for the harm it can inflict on victims," said Deputy Attorney General Lisa Monaco.
"But, for all the group’s technical prowess, it could not outfox our prosecutors, our agents, and our international law enforcement coalition," she added.
Monaco explained an investigative team had 'lawfully infiltrated' Hive's network and remained hidden there for months.
During this time, Monaco says the team repeatedly swiped decryption keys and freely passed them out to victims of the Hive ransomware variant.
"For months, we helped victims defeat their attackers and deprived the Hive network of extortion profits.
"Simply put, using lawful means, we hacked the hackers," said Monaco.
This announcement marks another successful DOJ initiative amid a significant uptick of anti-ransomware efforts – in 2022, the DOJ seized a collective $705,000 ($US500,000) in Bitcoin from North Korean ransomware actors, and in 2021 it seized a colossal 63.7 bitcoins (worth around $2.8 million at the time) from the ransomware group reportedly behind the disruptive Colonial Pipeline attack.
Monaco concluded her remarks on the recent campaign by declaring an "important success in the international fight against ransomware", before warning "we will not rest when it comes to Hive and its affiliates."
"If you target victims here in the United States, the Department of Justice will target you," said Monaco.