FBI hacks ransomware gang Hive, releasing its decryption keys to victims

27 Jan 2023

Image: © JHVEPhoto/Stock.adobe.com

Ransomware gangs like Hive can often regroup under new names and begin targeting victims all over again, say cybersecurity experts.

The US Department of Justice issued an announcement yesterday (26 January) saying it has made a breakthrough in tackling a major ransomware group called Hive.

The FBI has been infiltrating Hive’s computer networks since last July, and its disruption of the hackers’ operations has put an end to more than $130m in ransom demands.

As part of the infiltration, the FBI hacked into the gang’s networks and captured Hive’s decryption keys before offering them to victims of the gang.

The Hive gang has been targeting people worldwide for some time now. Since 2021, it targeted more than 1,500 people, securing hundreds of millions in ransom payments. The ransomware has often been used to target healthcare systems.

“The Department of Justice’s disruption of the Hive ransomware group should speak as clearly to victims of cybercrime as it does to perpetrators,” said US deputy attorney general Lisa O Monaco.

The US agencies investigating the Hive hackings worked in co-operation with international authorities in countries such as Germany and the Netherlands.

“In a 21st century cyber stakeout, our investigative team turned the tables on Hive,” Monaco pointed out. “We will continue to strike back against cybercrime using any means possible and place victims at the centre of our efforts to mitigate the cyber threat.”

The FBI and its equivalent international organisations have been monitoring Hive’s methods for years.

Commenting on the most recent success by the authorities in thwarting the hacker group’s efforts, Hüseyin Can Yuceel, security researcher at Picus Security, warned them not to become complacent.

“Hive ransomware group was one of the most prolific ransomware gangs in the last five years. Hive adopted all of the recent trends in the ransomware scene and became a major player in the ransomware-as-a-service business,” he said.

“Ransomware threat actors are likely to regroup and continue their operations,” he added, explaining that ransomware as a business remains too lucrative for hackers to give up on.

He also pointed out that the FBI’s press release did not mention any specific names. “There is no attached indictment. Sophisticated ransomware threat actors are not easy to identify, and even if they are identified, they may not be within the agency’s reach,” he said of the FBI.

“That’s why the FBI took the next best approach and disrupted the group’s operations. The attached warrant is for the seizure of servers used by Hive and located in California, which falls under FBI jurisdiction.”

Muhammad Yahya Patel, security engineer at Check Point Software, said that the FBI’s Hive “takedown is a win that we should celebrate”.

“It sends a strong message to ransomware gangs and has probably shaken some as they don’t know if they are also under surveillance.”

However, he too reiterated the warning that groups “do usually reform under a new name or spread into other gangs, so we shouldn’t get ahead of ourselves”.

Patel believes that the disruption of Hive’s activities in this specific manner represents a new breakthrough for the authorities in tackling cybercrime.

“With this success I expect we will see more of this technique as it could be a potentially quicker and easier way to hold those responsible accountable.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Blathnaid O’Dea was a Careers reporter at Silicon Republic until 2024.