The Department of State also announced it is offering $5 million for any information that leads to the arrest of any individual around the world conspiring to participate in Hive ransomware activity.
In 2023, the State Department’s ‘Rewards for Justice’ program issued rewards for any information that could link Hive or other groups targeting US critical national infrastructure to a foreign government.
At the same time, the department revealed the FBI had penetrated servers and domains controlled by Hive as early as 2022.
Coordinated efforts from German and Dutch law enforcement led to the infiltration of Hive’s communication servers, with authorities claiming to have disrupted the group’s ability to continue its operations.
Following the operation, the FBI was able to provide over 1,000 decryption keys to active and previous Hive victims, reporting its actions had saved $130 million in unpaid ransoms.
Deputy attorney general Lisa O. Monaco said government agencies around the world are beginning to seize the initiative in their ongoing struggle to suppress ransomware.
“[O]ur investigative team turned the tables on Hive, swiping their decryption keys, passing them to victims, and ultimately averting more than $130 million dollars in ransomware payments. We will continue to strike back against cybercrime using any means possible and place victims at the center of our efforts to mitigate the cyber threat.”
FBI director Christopher Wray said the operation’s success demonstrates the value of counter-offensive tactics to disrupt groups like Hive in combination with crowd-sourcing information.
“The coordinated disruption of Hive’s computer networks, following months of decrypting victims around the world, shows what we can accomplish by combining a relentless search for useful technical information to share with victims with investigation aimed at developing operations that hit our adversaries hard”.
Is this the end of the road for Hive ransomware?
The Hive ransomware group has targeted over 1,500 companies across more than 80 countries and received over $100 million in ransom payments since June 2021, according to the FBI.
Previous attacks linked to the group include the extortion of CNA Insurance for $40 million in March 2021.
The Hive collective is known for being indiscriminate in attacking private corporations and public organizations alike, including healthcare providers.
The group targeted the non-profit Memorial Health System in August 2021, taking its systems offline and disrupting surgeries.
November 2021 saw Hive attack Euopre’s largest electronics retailer, MediaMarkt, affecting the business’ ability to take card payments and forcing it to disconnect its cash registers from the network.
Although experts said the 2022 takedown of Hive would have disrupted the ransomware-as-a-service (RaaS) market, due to Hive’s popularity, they expected other threat actors to quickly pick up where the group left off.
The ransomware landscape has become more diversified over recent years, as the major players are targeted by law enforcement operations or simply lose ground to smaller, more dynamic threat actors.
Recent research from Searchlight Cyber found the ransomware landscape is becoming more fluid, highlighting a trend towards smaller groups who rapidly dissolve and reform under new monikers, reusing old tactics.