The U.S. Department of Justice has taken down the Hive ransomware group that has targeted hospitals, school districts, financial firms and critical infrastructure. The group targeted 1,500 victims in over 80 countries.
The FBI was able to penetrate the Hive’s computer networks, capture its decryption keys and offer them to victims, preventing victims from paying $130 million in ransom demand, the Justice Department announced. The FBI infiltrated the Hive in July 2022 and was able to provide more than 300 decryption keys to Hive victims who were under attack. The agency also distributed more than 1,000 decryption keys to previous victims.
The announcement comes as the healthcare industry is facing more cyberattacks than ever, with criminals targeting sensitive patient data. On average, a data breach costs healthcare organizations $10 million.
The agency also announced it seized control of the servers and websites that Hive uses to communicate with its members, disrupting Hive's ability to attack and extort victims, through collaboration with German law enforcement and the Netherlands National High Tech Crime Unit.
“Last night, the Justice Department dismantled an international ransomware network responsible for extorting and attempting to extort hundreds of millions of dollars from victims in the United States and around the world,” Attorney General Merrick B. Garland said in a statement. “Cybercrime is a constantly evolving threat. But as I have said before, the Justice Department will spare no resource to identify and bring to justice, anyone, anywhere, who targets the United States with a ransomware attack. We will continue to work both to prevent these attacks and to provide support to victims who have been targeted. And together with our international partners, we will continue to disrupt the criminal networks that deploy these attacks.”
Hive ransomware group has targeted more than 1,500 victims since June 2021 and received more than $100 million. The attacks have been extremely disruptive to victims, including one hospital that was forced to resort “to analog methods to treat existing patients and was unable to accept new patients immediately following the attack,” the Justice Department said.
The ransomware group used a subscription-based ransomware-as-a-service (RaaS) model that used administrators, called developers, and affiliates. The model uses the developers or administrators to develop a ransomware strain and interface that operates and then recruits affiliates to deploy the ransomware against victims. Affiliates identified targets and deployed the ransomware software to attack victims. Affiliates then earned a percentage of each successful ransom payment.
The Hive group deployed a double-extortion model of attack, and the affiliate would steal or exfiltrate sensitive data before encrypting the victim’s system. The affiliate sought ransom for the decryption key and a promise not to publish the victim’s data. The attackers would specifically target the most sensitive data to put on pressure for payment. Affiliates and administrators of Hive would split the ransom 80/20, and the group published the data of those who did not pay on the Hive Leak Site.