DOJ takes down ransomware group with a ’21st century cyber stakeout’

After a months-long covert operation, the US Justice Department (DOJ) and its international partners have taken down an international ransomware network known as Hive, the agency announced Thursday. Since 2021, the Hive ransomware group has targeted more than 1,500 victims around the world, securing more than $100 million in ransom payments from hospitals, school districts, financial firms and other entities. 

Also: 3 security gadgets I never leave home without

To dismantle the Hive network, the Justice Department operated a “21st century cyber stakeout,” according to Deputy Attorney General Lisa O. Monaco.

“Our investigative team turned the tables on Hive, swiping their decryption keys, passing them to victims, and ultimately averting more than $130 million dollars in ransomware payments,” she said in a statement. 

The FBI first penetrated Hive’s computer networks in July 2022. During the operation, the agency managed to secure more than 300 decryption keys for Hive victims who were under attack. It also retrieved more than 1,000 additional decryption keys for prior Hive victims. By capturing those decryption keys, the FBI saved victims from having to pay $130 million in ransom demanded. 

On Thursday, the DOJ worked with German and Dutch law enforcement to seize control of the servers and websites that Hive used to communicate with its members.

Also: NSA and CISA alert: This phishing scam could give hackers control of your PC

Hive used a ransomware-as-a-service (RaaS) model. Hive’s “developers” or “administrators” would develop a ransomware strain and then recruit “affiliates” who could deploy it against victims. The “affiliates” would steal sensitive data from victims and also encrypt the victim’s systems. 

After a victim paid the hackers to get their stolen data back — as well as for a decryption key necessary to decrypt their system — the affiliates and Hive administrators would split the ransom 80/20. If a victim didn’t pay, their data was published on the Hive Leak Site.