In January 2023, the FBI revealed it had secretly hacked and disrupted an international ransomware gang called "Hive." Hive was one of the most prolific cybercriminal groups that extorted businesses by encrypting their data and demanded massive cryptocurrency payments in return.
Hive used a ransomware-as-a-service (RaaS) model featuring administrators, sometimes called developers, and affiliates. RaaS is a subscription-based model where the developers or administrators develop a ransomware strain and create an easy-to-use interface with which to operate it and then recruit affiliates to deploy the ransomware against victims. Affiliates identified targets and deployed this readymade malicious software to attack victims and then earned a percentage of each successful ransom payment.
Hive actors employed a double-extortion model of attack. Before encrypting the victim system, the affiliate would exfiltrate or steal sensitive data.
The affiliate then sought a ransom for both the decryption key necessary to decrypt the victim's system and a promise to not publish the stolen data. Hive actors frequently targeted the most sensitive data in a victim's system to increase the pressure to pay.
After a victim pays, affiliates and administrators split the ransom 80%/20%. Hive, however, will publish the data of any victims who do not pay ransom on the Hive Leak Site.
Using lawful means, government hackers broke into Hive's network and put the gang under surveillance, stealthily stealing the 300 digital keys the group used to unlock data from the organizations who were currently under attack.
Additionally, the FBI distributed more than 1,000 decryption keys to previous Hive victims.
News of the takedown was reported online when Hive's website was replaced with a flashing message that read, "The Federal Bureau of Investigation seized this site as part of coordinated law enforcement action taken against Hive Ransomware."
The takedown was a global initiative requiring cooperation across national borders and continents between the FBI, German Federal Criminal Police and the Dutch National High Tech Crime Unit. The German police and Dutch crime unit seized Hive's servers at the time of the takedown.
This takedown was different than other ransomware cases — there were no monetary seizures because investigators intervened before Hive demanded the payments. The undercover infiltration, which began in July 2022, went completely undetected by the gang until the January 2023 announcement.
It was reported that the FBI's operation helped a wide range of victims, including a Texas school district. The FBI provided decryption keys to the school district, saving it from making a $5 million ransom payment. At the same time a Louisiana hospital was spared a $3 million payment and the loss of important data.
Short of any arrests, Hive's hackers will likely either set up shop soon under a different brand or get recruited into another ransomware-as-a-service group. Either way, the sting operation took down Hive's nefarious activities and saved multiple companies from losing millions of ransom dollars and millions of data bytes.