View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 26, 2023

Hive ransomware gang’s infrastructure taken down by the FBI and Europol

The successful operation could be a buzz-kill for the cybercriminals. Other gangs will also be taking note.

By Claudia Glover

Prolific ransomware gang Hive’s online infrastructure has been seized in a law enforcement sting led by the FBI and Europol, involving law enforcement officers from 13 countries. Officers obtained encryption keys which could help victims of the group retrieve stolen data and avoid paying ransoms totalling more than $100m.

A global operation led by FBI and Europol takes down Hive RaaS gang. (Photo by Kristi Blokhin/Shutterstock)

The dark web blog site for the gang has been replaced with a seizure notice. It says: “This hidden site has been seized. The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action.”

Europol confirmed the operation in a statement this afternoon, saying: “Europol supported the German, Dutch and US authorities in taking down the infrastructure of the prolific Hive ransomware. This international operation involved authorities from 13 countries in total. Law enforcement identified the decryption keys and shared them with many of the victims, helping them regain access to their data without paying the cybercriminals.”

The statement added: “Law enforcement provided the decryption key to companies which had been compromised in order to help them decrypt their data without paying the ransom. This effort has prevented the payment of more than $130m (€120m) of ransom payments.”

It has not been revealed if any arrests have been made as part of the operation.

Hive ransomware’s reign of terror

Thought to be based in Russia, Hive is responsible for numerous attacks on targets including critical national infrastructure and private sector businesses. As of November, the gang has attacked more than 1,300 organisations worldwide according to an advisory released by the US’s Cybersecurity & Infrastructure Security Agency (CISA).

The gang’s main targets are schools and healthcare institutions. Recently the cybercrime group froze the online infrastructure of six schools belonging to the Wooton Academy Trust in Bedfordshire, in August of last year. Hive demanded a ransom of £500,000, threatening to release the pilfered data of 4,500 schools should the trust refuse to co-operate. Parents of the pupils were also contacted by the ransomware gang. 

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

In July, the cybercriminals went on a cybercrime spree, hitting seven companies including frozen food specialist Exala, IT consultancy AdaptIT and US marketing firm Authentic Brands Group. This followed an attack which saw cybercriminals using Hive hit the Indonesian gas giant PGN in April. 

Is FBI sting a buzz-kill for Hive?

The FBI and Europol’s operation will be disruptive for the gang operations says Allan Liska, CSIRT at cybersecurity company Recorded Future, as vital information will be in the data seized during the operation. “There’s always valuable intelligence that’s gathered from these servers,” he says.

This information could help law enforcement agencies track down Hive affiliates who also belong to other criminal gangs. “If you can start arresting some of the affiliates, it does have a broader impact down the road, while also disrupting ransomware attacks in the short term,” Liska says.

Moreover, Liska believes this kind of co-ordinated operation from law enforcement agencies will cause other ransomware gangs to think twice before drawing attention to themselves. “I think it’s too dangerous [for ransomware gangs] right now,” he says. “Look at all the flags that are on that seizure page. All of these countries are co-operating and they’re all going after ransomware groups.”

Read more: UK lawyers urged to stop helping clients make ransomware payments

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.