Since June 2021, the Hive ransomware group has targeted more than 1,500 victims across 80 countries, according to the DoJ. Since infiltrating Hive’s network in late July 2022, the Federal Bureau of Investigation (FBI) has captured over 300 decryption keys and provided them to Hive’s victims. “In addition, the FBI distributed over 1,000 additional decryption keys to previous Hive victims,” the DoJ said.
“In a 21st century cyber stakeout, our investigative team turned the tables on Hive, swiping their decryption keys, passing them to victims, and ultimately averting more than $130 million in ransomware payments,” said Deputy Attorney General Lisa Monaco in prepared remarks.
Additionally, in coordination with German law enforcement authorities and the Netherlands National High Tech Crime Unit, the FBI has “seized control of the servers and websites Hive uses to communicate with its members, disrupting Hive’s ability to attack and extort victims,” the DoJ added.
“We will continue to work both to prevent these attacks and to provide support to victims who have been targeted,” said Attorney General Merrick Garland in prepared remarks. “And together with our international partners, we will continue to disrupt the criminal networks that deploy these attacks.”
Attack Details
To carry out its attacks, Hive used ransomware-as-a-service (RaaS), a subscription-based model in which administrators develop a ransomware strain and create an easy-to-use interface to deploy it. Third-party affiliates are recruited to deploy the readymade malicious software to ransomware victims and are then rewarded with a percentage of each successful ransom payment.
According to the DoJ, Hive employed a double-extortion model of attack, which worked like this: Before encrypting each victim’s system, the affiliate would exfiltrate or steal sensitive data and would then seek a ransom for both the decryption key necessary to decrypt the victim’s system and as blackmail to not publish the stolen data. The data of those who refused to pay were published the Hive Leak Site, according to the DoJ.
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Hive affiliates gained initial access to victim networks through a number of methods, including:
- Single-factor logins through Remote Desktop Protocol;
- virtual private networks and other remote network connection protocols;
- exploiting FortiToken vulnerabilities; and
- sending phishing emails with malicious attachments.
In November 2022, CISA issued guidance that provides companies with more information about the technical details of the Hive ransomware attacks, the specific indicators of compromise, and what specific measures to take to both prevent and respond in the event of a ransomware attack. 
Jaclyn Jaeger is a contributing editor at Compliance Chief 360° and a freelance business writer based in Manchester, New Hampshire.