When the news was broken

The Justice Department revealed in January 2023 that it has carried out a months-long operation to disrupt the Hive ransomware group, which has attacked over 1,500 victims across more than 80 countries, including hospitals, school systems, financial institutions, and vital infrastructure.

The initiation of the mission:-

Since then, the FBI has issued more than 300 decryption keys to organizations actively being targeted by Hive, and over 1,000 keys to past victims.

• Since July 2022, the FBI has successfully infiltrated Hive’s computer systems, obtained their decryption keys, and shared them with victims across the globe—helping them avoid paying around $130 million in ransom.
• In a coordinated effort with German law enforcement agencies and the Netherlands’ National High Tech Crime Unit, the Justice Department also announced it has taken control of Hive’s servers and websites, effectively disrupting the group’s operations and communication channels.

How the process was executed further:-

1. “The Justice Department took down a global ransomware operation that had extorted or attempted to extort hundreds of millions of dollars from victims in the U.S. and abroad,” stated Attorney General Merrick B. Garland. “Cybercrime is a constantly shifting threat, but as I’ve said before, the Justice Department is fully committed to tracking down and holding accountable anyone, anywhere, who launches ransomware attacks against the United States. We will keep working to stop these attacks and support the victims affected. Alongside our international partners, we will persist in dismantling the criminal networks behind them.”

2. “The Justice Department’s takedown of the Hive ransomware group sends a strong message—not just to cybercriminals, but also to their victims,” said Deputy Attorney General Lisa O. Monaco. “In a modern-day cyber stakeout, our investigators flipped the script on Hive—stealing their decryption keys, giving them to victims, and helping prevent over $130 million in ransom payments. We’ll keep using every tool at our disposal to fight back against cybercrime, always keeping victims at the heart of our mission to combat these threats.”

3. “The coordinated takedown of Hive’s computer networks—after months of helping victims regain access to their data—demonstrates the power of combining relentless technical work with strategic operations that directly impact our adversaries,” said FBI Director Christopher Wray. “The FBI will keep using our intelligence capabilities, law enforcement tools, global reach, and strong partnerships to go after cybercriminals who threaten American businesses and institutions.”

The need of Rescue

“Our actions in this case prevented victims from paying over $100 million in ransom, and likely spared them even more in recovery expenses,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division. “This operation highlights the Department of Justice’s dedication to defending our communities from malicious cyberattacks and supporting victims in their recovery. We’re not stopping here—we will keep investigating and pursuing those behind Hive until they are held accountable.”

Alleged benefits taken by the ransomware

1. Since June 2021, the Hive ransomware group has attacked over 1,500 victims globally and collected more than $100 million in ransom payments.
2. Hive ransomware attacks have significantly disrupted the daily operations of victims worldwide and even impacted efforts to respond to the COVID-19 pandemic.
3. In one instance, a hospital targeted by Hive was forced to revert to manual processes to care for current patients and was temporarily unable to admit new ones in the aftermath of the attack.

How the Hive was operated

Hive was operated using a ransomware-as-a-service (RaaS) model, which involved administrators, or developers, and affiliates. In this subscription-based setup, developers created a ransomware strain and built an easy-to-use interface for its operation. They then recruited affiliates to carry out the attacks by identifying targets and deploying the pre-made malware. In return, affiliates received a share of the ransom payments from each successful attack.

Hive actors used a double-extortion attack model. Before encrypting a victim’s system, affiliates would first exfiltrate or steal sensitive data. They would then demand a ransom for both the decryption key needed to unlock the victim’s system and a guarantee that the stolen data would not be publicly released. To increase the pressure to pay, Hive often targeted the most sensitive data within a victim’s system. Once the ransom was paid, affiliates and administrators would split the payment 80/20. Victims who refused to pay had their data publicly posted on the Hive Leak Site.

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Hive affiliates have gained initial access to victim networks through various methods, including: single-factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote connection protocols; exploiting vulnerabilities in FortiToken; and sending phishing emails with malicious attachments.

Other Contributing Entities

The Justice Department also acknowledges the vital cooperation of the German Reutlingen Police Headquarters-CID Esslingen, the German Federal Criminal Police, Europol, and the Netherlands Politie. Significant support was provided by the U.S. Secret Service, the U.S. Attorney’s Offices for the Eastern District of Virginia and the Central District of California. The Justice Department’s Office of International Affairs and the Cyber Operations International Liaison also played key roles in the operation. Furthermore, several foreign law enforcement agencies contributed substantial assistance, including the Canadian Peel Regional Police and Royal Canadian Mounted Police, French Direction Centrale de la Police Judiciaire, Lithuanian Criminal Police Bureau, Norwegian National Criminal Investigation Service in collaboration with the Oslo Police District, Portuguese Polícia Judiciária, Romanian Directorate of Countering Organized Crime, Spanish Policia Nacional, Swedish Police Authority, and the United Kingdom’s National Crime Agency.