Ransomware, Threat Management, Malware

US, Europol seize Hive ransomware servers and leak sites: ‘We hacked the hackers’ 

A screen image says the Hive's site has been seized by law enforcement
A screenshot of the Hive ransomware group's leak site indicating it has been seized by U.S. and international law enforcement. The same message appeared in Russian. (Source: SC Media)

U.S. and international law enforcement authorities have taken action against the Hive ransomware group, including the seizure of U.S.-based servers and the shutdown of at least two of the group's dark net sites.

On Thursday morning, two of the group’s sites on the dark web used to communicate with and extort victims and leak data for non-paying businesses were replaced with a notice indicating in both English and Russian that the site has been seized in an international law enforcement operation involving the U.S. Department of Justice, the FBI, Secret Service, Germany, Europol and other European countries.

“The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action against Hive ransomware,” the notice reads.

According to Ransomwatch, a site that tracks telemetry for ransomware groups, Hive’s main leak site as well as their victim negotiation portal now contain notices that they have been seized. The notice seen by SC Media also states that the action was done in coordination with the United States Attorney’s Office for the Middle District of Florida.

In a press conference Thursday morning, Attorney General Merrick Garland said the FBI’s Tampa division successfully infiltrated Hive’s network and began a campaign of disrupting the group’s activities, listing successful efforts to stop ransomware attacks against a Texas school district, a Louisiana hospital and a food services company last year. In at least two of those cases, the bureau was able to obtain decryption keys or claw back payments for millions of dollars in ransoms.

Garland said the bureau’s investigation led them to discover two backend computer servers in Los Angeles used by the group to store data.

“Last night, pursuant to a court order, we seized those servers. We also received court authorization to wrest control of Hive’s dark net sites and render its services unavailable,” said Garland in a press conference.  

Deputy Attorney General Lisa Monaco said the FBI has been inside Hive's network for months, stealing decryption keys to pass onto victims so they would not have to pay to decrypt their files.

“Simply put: using lawful means, we hacked the hackers. We turned the tables on Hive and we busted their business model, saving potential victims approximately $130 million in ransomware payments,” said Monaco.

Based on the search warrant executed Jan. 11, the servers were leased using three email addresses that law enforcement had identified as being used by Hive operators.

According to testimony from FBI special agent Timothy Callinan, the FBI has had access to Hive’s network since at least July 2022. One of the two U.S.-based servers seized was a redundant backup server hosting Hive’s Tor-based leak sites and victim negotiation portal. The other was a backend server connecting to Hive’s broader network and infrastructure and also contained records of communication between different Hive members, malware hashes as well as information on at least 250 Hive affiliates.

The FBI was able to obtain decryption keys for specific intrusions and said it passed 1,000 keys to at least 336 victims, helping save them as much as $130 million in ransom payments.   

The use of law enforcement resources to obtain decryptors and pass them along to victims marks a noted shift from the FBI's position in recent years, when they were criticized by lawmakers and cybersecurity professionals after reports came out following the Kaseya ransomware attack that the bureau had obtained a decryptor for REvil's malware, but opted to hold onto it for nearly three weeks before handing it over to Kaseya and their customers, citing a desire to use it instead for investigative and law enforcement operations.

FBI Director Christopher Wray said the bureau has since shared decryptor keys with victims in the U.S. as well as "many victims overseas." He used the seizure as an opportunity to urge additional businesses to come forward and provide assistance to the FBI, touting the bureau's efforts to help past victims avoid payments or get their money back and noting that many Hive victims do not report when they are hit with a ransomware attack.

"So today's lesson for businesses large and small, for hospitals and police departments and really all the other many victims of ransomware is this: reach out to your local FBI field office today, introduce yourself so that you know who to call when you become a victim of a cyber attack."

According to an advisory posted by the FBI, the Cybersecurity and Infrastructure Security Agency and the Department of Health and Human Services, Hive has been a prolific ransomware-as-a-service actor, with affiliates infecting at least 1,300 known victims and receiving more than $100 million in ransomware payments as of November 2022. That advisory came around the same time that a Hive ransomware threat group claimed to have stolen 550 GB of data from Consulate Health Care.

As part of that advisory, the agencies asked victims to come forward and submit a range of evidence to authorities that may help the FBI investigate, including malware samples, images of infected systems, malicious IP addresses, a copy of their ransom note, ransom amounts, and Bitcoin wallet information.

“From June 2021 through at least November 2022, threat actors have used Hive ransomware to target a wide range of businesses and critical infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health (HPH),” the agencies advised late last year.

The takedown by law enforcement follow a string of arrests, seizures and raids conducted by law enforcement agencies against ransomware groups over the past two years as they target both individuals and infrastructure they rely on to extort their victims. Previous operations have been executed against other well-known ransomware groups like REvil, Cl0p, and Netwalker.

However, RaaS groups like Hive are massive, decentralized operations with many different affiliates, operators and developers. John Hultquist, Head of Mandiant Threat Intelligence at Google Cloud, said he was skeptical that the operation would cripple Hive's operations but it might dissuade them and similar groups from pursuing higher-value targets.

"The disruption of the Hive service won’t cause a serious drop in overall ransomware activity but it is a blow to a dangerous group that has endangered lives by attacking the healthcare system," said Hultquist in a statement. "Unfortunately, the criminal marketplace at the heart of the ransomware problem ensures a Hive competitor will be standing by to offer a similar service in their absence, but they may think twice before allowing their ransomware to be used to target hospitals."

Austin Berglas, a former FBI cyber official who helped create and lead the cyber branch at the bureau's New York office, largely concurred with that assessment, saying that takedowns can lead to brief disruptions of ransomware activity but only temporarily, while noting that authorities did not mention any arrests of individuals linked to the group.

"True dismantlement comes only when law enforcement can 'put hands on' or arrest the individuals responsible. However, identifying the actual human beings behind the keyboard is a very difficult task," said Berglas, now global head of professional services at BlueVoyant. "Many of these cyber criminals are adept at anonymizing their online communications, locations, and infrastructure - often operating in global locations where international law enforcement cooperation is non-existent and utilizing bullet-proof hosting providers, which are unresponsive to legal process."

This is a developing story and SC Media will continue to update as new information becomes available.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.