US authorities seize servers for Hive ransomware group

‘We hacked the hackers,’ says deputy attorney general of group that has received over $100m in extortion payments from victims

US authorities have seized the servers of the notorious Hive ransomware group that has received more than $100m in extortion payments from thousands of victims after law enforcement infiltrated its systems and captured the keys to decrypt its attack software, the justice department announced on Thursday.

The website for the group – considered among the most dangerous and prolific hacker gangs that targeted hospitals and public infrastructure – showed a message saying it had been seized by an international law enforcement coalition including the department and the FBI.

Ransomware is a type of malicious attack that infiltrates a computer network and makes files inaccessible. Hackers then demand a ransom to unlock the system, typically in the form of cryptocurrency. The Hive group was known to re-infiltrate networks that tried to circumvent their attacks.

“In a 21st-century cyber stakeout, our investigative team turned the tables on Hive,” the deputy attorney general, Lisa Monaco, said at a news conference announcing the seizure at department headquarters in Washington. “Using lawful means, we hacked the hackers.”

The months-long operation, which started in Florida last year, involved FBI agents accessing Hive’s network and providing victims with the decryption keys needed to regain control of their systems, blocking about $130m in demanded ransoms, senior justice department officials said.

Hive used a “ransomware-as-a-service” model, where its developers sold their ransomware code to affiliates, who carried out the actual attacks – an arrangement that makes it harder for authorities to identify and investigate the hackers behind the group.

A sign displaying an hidden site that was seized is seen during a press conference in Washington DC on 26 January.
A sign displaying an hidden site that was seized is seen during a press conference in Washington DC on 26 January. Photograph: Mandel Ngan/AFP/Getty Images

The group was particularly notorious for targeting hospitals and schools. In the summer of 2021, Hive carried out a ransomware attack on a hospital in the US midwest that prevented it from accepting new patients and forced it to run all of its operations with paper records.

The FBI started to work with victims in July 2022 to identify Hive’s targets and then sought court orders and search warrants to enter Hive’s systems, officials said, before ultimately seizing Hive’s servers and websites that its members used to communicate and carry out the attacks.

“This is not exactly hiding in plain sight, this is just hiding. We hide and we watch as they proceed with their attacks and we discover the keys and deliver the keys to victims,” the attorney general, Merrick Garland, said.

The department did not announce arrests on Thursday and declined to discuss the possibility of charges against Hive’s members, who are known to communicate in Russian, or ties to the Kremlin because the investigation remains ongoing.

The operation, the department said, was led with German law enforcement and the Netherlands National High Tech Crime Unit. Separately, the National Crime Agency in the UK said in a statement that its investigators were involved in removing malware from UK victims.

The treasury department has estimated that ransomware attacks cost US organizations $886m in 2021, the most recent year for which data is available.

Russia does not extradite its citizens, and the White House has failed to convince the Kremlin in recent years to prosecute its cybercriminals. At least some of the most infamous hacking gangs, including the Fancy Bears group, have been connected to its state security services.


Hugo Lowell in Washington

The GuardianTramp

Related Content

Article image
How the Colonial Pipeline hack is part of a growing ransomware trend in the US
Cybercriminals have attacked solar power firms, water treatment plants and police departments in attempts to extort money

Adam Gabbatt

14, May, 2021 @6:00 AM

Article image
Ransomware attack reveals breakdown in US intelligence protocols, expert says
Attack renews debate over agencies such as the NSA leaving vulnerabilities in place for strategic purposes rather than alerting companies immediately

Edward Helmore in New York

13, May, 2017 @5:41 PM

Article image
‘It’s feasible to start a war’: how dangerous are ransomware hackers?
Secretive gangs are hacking the computers of governments, firms, even hospitals, and demanding huge sums. But if we pay these ransoms, are we creating a ticking time bomb?

Sirin Kale

01, Aug, 2021 @9:00 AM

Article image
Ransomware attack on US Marshals compromises sensitive information
Federal agency best known for tracking down fugitives suffered security breach on 17 February

Guardian staff and agencies

28, Feb, 2023 @1:40 PM

Article image
Florida authorities seize 1,400lb of shark fins and sack labeled 'bag full of drugs'
In separate recent incidents, officials found a variety of drugs in a clearly labeled bag and illegal endangered species worth up to $1m

Guardian staff and agencies

05, Feb, 2020 @4:44 PM

Article image
How remote work opened the floodgates to ransomware
With workers outside the ‘castle walls’ of their companies, criminals have it easier – and cryptocurrency hasn’t helped

Kari Paul

17, Jun, 2021 @10:00 AM

Article image
ScarePakage Android ransomware pretends to be FBI porn warning
Hard-to-remove malware locks devices and tries to make people pay $300 fines, says security firm Lookout. By Tom Brewster

Tom Brewster

17, Jul, 2014 @11:27 AM

Article image
What is LockBit ransomware and how does it operate?
Name of malware and criminal group behind it, LockBit has been blamed for attack on Royal Mail

Dan Milmo Global technology editor

13, Jan, 2023 @3:13 PM

Article image
Smartwatch maker Garmin hit by outages after ransomware attack
US company forced to shut down call centres, website and some other online services

Mark Sweney

24, Jul, 2020 @7:49 AM

Article image
Russian ransomware attacks increased during 2021, joint review finds
Britain, the US and Australia point to growth in ‘sophisticated, high-impact ransomware incidents’

Dan Sabbagh Defence and security editor

09, Feb, 2022 @2:07 PM