Since June 2021, the HIVE ransomware group targeted more than 1,500 victims around the world and received over $100 million in ransom payments. After the ransomware victims paid, HIVE affiliates and administrators split the ransom 80/20. HIVE published the data of victims who do not pay on the HIVE Leak Site.
Hive ransomware attacks have caused major disruptions in victim daily operations around the world and affected responses to the COVID-19 pandemic. In one case, a hospital attacked by Hive ransomware had to resort to analog methods to treat existing patients and was unable to accept new patients immediately following the attack.
Hive’s methodology
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), HIVE affiliates gained initial access to victim networks through a number of methods, including: single factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols; exploiting FortiToken vulnerabilities; and sending phishing emails with malicious attachments.
HIVE used a ransomware-as-a-service (RaaS) model featuring administrators, sometimes called developers, and affiliates. RaaS is a subscription-based model where the developers or administrators develop a ransomware strain and create an easy-to-use interface with which to operate it and then recruit affiliates to deploy the ransomware against victims. Affiliates identified targets and deployed this readymade malicious software to attack victims and then earned a percentage of each successful ransom payment.
Hive actors employed a double-extortion model of attack. Before encrypting the victim system, the affiliate would exfiltrate or steal sensitive data. The affiliate then sought a ransom for both the decryption key necessary to decrypt the victim’s system and a promise to not publish the stolen data. Hive actors frequently targeted the most sensitive data in a victim’s system to increase the pressure to pay.
How the US DoJ responded
According to the US Department of Justice, the FBI penetrated HIVE’s computer networks beginning in late July 2022, captured its decryption keys, and offered them to victims worldwide, preventing victims from having to pay $130 million in ransom demanded. After infiltrating HIVE’s network, the FBI provided over 300 decryption keys to HIVE victims who were under attack. In addition, the FBI distributed over 1,000 additional decryption keys to previous HIVE victims.
In coordination with German law enforcement (the German Federal Criminal Police and Reutlingen Police Headquarters-CID Esslingen) and the Netherlands National High Tech Crime Unit, the FBI also seized control of the servers and websites that Hive uses to communicate with its members, disrupting Hive’s ability to attack and extort victims.
Europol’s role
Europol streamlined victim mitigation efforts with other EU countries, which prevented private companies from falling victim to HIVE ransomware. Law enforcement provided the decryption key to companies which had been compromised in order to help them decrypt their data without paying the ransom. This effort has prevented the payment of more than USD 130 million or the equivalent of about EUR 120 million of ransom payments.
Europol facilitated the information exchange, supported the coordination of the operation and funded operational meetings in Portugal and the Netherlands. Europol also provided analytical support linking available data to various criminal cases within and outside the EU, and supported the investigation through cryptocurrency, malware, decryption and forensic analysis.
On the action days, Europol deployed four experts to help coordinate the activities on the ground. Europol supported the law enforcement authorities involved by coordinating the cryptocurrency and malware analysis, cross-checking operational information against Europol’s databases, and further operational analysis and forensic support. Analysis of this data and other related cases is expected to trigger further investigative activities. The Joint Cybercrime Action Taskforce (J-CAT) at Europol also supported the operation. This standing operational team consists of cybercrime liaison officers from different countries who work on high-profile cybercrime investigations.
Read the full US DOJ announcement: U.S. Department of Justice Disrupts Hive Ransomware Variant. FBI covertly Infiltrated Hive Network, Thwarting Over $130 Million in Ransom Demands. January 26, 2023. US DOJ
Read the full Europol announcement: Cybercriminals stung as HIVE infrastructure shut down. January 26, 2023. Europol
Why it matters
“Our efforts in this case saved victims over a hundred million dollars in ransom payments and likely more in remediation costs,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division in a prepared statement. “This action demonstrates the Department of Justice’s commitment to protecting our communities from malicious hackers and to ensuring that victims of crime are made whole. Moreover, we will continue our investigation and pursue the actors behind Hive until they are brought to justice.”
Who participated
The US Justice Department collaborated with the German Reutlingen Police Headquarters-CID Esslingen, the German Federal Criminal Police, Europol, and the Netherlands Politie, and significant assistance was provided by the U.S. Secret Service, U.S. Attorney’s Office for the Eastern District of Virginia, and U.S. Attorney’s Office for the Central District of California.
Headquartered in The Hague, the Netherlands, Europol supports the 27 EU Member States in their fight against terrorism, cybercrime, and other serious and organized crime forms.
Additionally, the following international law enforcement authorities provided substantial assistance and support: the Canadian Peel Regional Police and Royal Canadian Mounted Police, French Direction Centrale de la Police Judiciaire, Lithuanian Criminal Police Bureau, Norwegian National Criminal Investigation Service in collaboration with the Oslo Police District, Portuguese Polícia Judiciária, Romanian Directorate of Countering Organized Crime, Spanish Policia Nacional, Swedish Police Authority, and the United Kingdom’s National Crime Agency.
The Justice Department’s Office of International Affairs and the Cyber Operations International Liaison also provided significant assistance.