Hive Ransomware Gang Loses Its Honeycomb, Thanks to DoJ

The US Department of Justice hacked into Hive's infrastructure, made off with hundreds of decryptors, and seized the gang's operations.

Closeup photo of young bee inside honeycomb
Source: Ivan Kmit via Alamy Stock Photo

The Feds have disrupted the prolific Hive ransomware gang, saving victims from a collective $130 million in ransom demands. But it remains to be seen how much of a blow the effort will be to the overall ransomware landscape.

The group's operations have been buzzing with activity for months, racking up more than 1,500 victims in 80-plus countries around the world since it appeared in June 2021, according to an announcement from the US Justice Department. The gang has been operating with a ransomware-as-a-service (RaaS) model, engaging in data theft and double extortion, and delivering its venom indiscriminately to school districts, financial firms, critical infrastructure, and others. At least one affiliate has become a bit of a hospital specialist, disrupting patient care in some attacks.

In what officials called "a 21st-Century cyber-stakeout," the FBI has been infiltrating the gang's network infrastructure since last July and, perhaps most notably, has now seized its decryption keys.

"The FBI has provided over 300 decryption keys to Hive victims who were under attack," according to Thursday's announcement. "In addition, the FBI distributed over 1,000 additional decryption keys to previous Hive victims."

Hive: Gone for Good?

Aside from swiping the decryptors, the DoJ also worked with German law enforcement to execute a coordinated seizure of the group's command-and-control (C2) infrastructure (including two servers located in Los Angeles) and the group's Dark Web leak site, US Attorney General Merrick Garland said during a press conference.

The actions could have a significant effect on the volume of ransomware attacks, at least in the short term. According to Mandiant, Hive was the most prolific ransomware family that it dealt with in its incident response engagements, accounting for more than 15% of the ransomware intrusions that it responded to.

That said, while the strike will certainly be a blow to the gang, it's unlikely that its affiliates and members will be dormant for long. As with other high-profile takedowns such as those of Conti and REvil, it's likely that they will simply join other teams or regroup to sting another day.

"We've seen multiple actors using Hive ransomware since it emerged, but the most prolific actor over the past year, based on our visibility, was UNC2727," Kimberly Goody, senior manager at Mandiant Intelligence — Google Cloud, said in an email statement. "Hive also hasn't been the only ransomware in their toolkit; in the past we've seen them employ Conti and MountLocker, among others. This shows that some actors already have relationships within the broad ecosystem that could enable them to easily shift to using another brand as part of their operations."

Ransomware Is Becoming Less Attractive

Still, the ransomware game is getting tougher for operators, who are facing declining profit margins, lower valuations for cryptocurrency, intense law enforcement scrutiny, more victims having appropriate backups in place, and increasing refusals from targets to pay up. As such, researchers have seen an emerging trend of ransomware actors pursuing other avenues to make money.

Crane Hassold, former FBI cyber psychological operations analyst and head of research at Abnormal Security, said via email that this latest event is likely to add fuel to that phenomenon.

"It's very possible that we'll start to see ransomware actors pivot to other types of cyberattacks, like business email compromise (BEC)," he said. "BEC is the most financially impactful cyberthreat today and, instead of using their initial access malware to gain a foothold on a company's network, they could simply reconfigure the malware to establish access to employee mailboxes, which could lead to more scaled and sophisticated vendor email compromise attacks."

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights