Operation Hive ransomware’s Tor payment and data leak sites were seized in an international law enforcement operation after the FBI infiltrated the gang’s infrastructure last July.

Today, the United States Department of Justice and Europol announced that an international law enforcement operation had secretly infiltrated the Hive ransomware gang’s infrastructure in July 2022, when they secretly began monitoring the operation for five months.

This operation allowed them to learn about attacks before they happen and warn targets, and obtain and distribute decryption keys to victims, avoiding an estimated $130 million in ransom payments. .

“Since late July 2022, the FBI has penetrated Hive’s computer networks, captured its decryption keys, and offered them to victims around the world, saving victims from having to pay the $130 million ransom demanded.” declared on The Department of Justice said.

“Since infiltrating the Hive network in July 2022, the FBI has provided over 300 decryption keys to Hive victims who have been attacked. Additionally, the FBI distributed over 1,000 additional decryption keys to previous Hive victims.

The ransomware gang’s Tor websites now display a seizure notice listing a wide range of other countries involved in the law enforcement operation, including Germany, Canada, France, Lithuania, Netherlands, Norway, Portugal, Romania, Spain, Sweden and the United Kingdom. .

Unlike previous grab messages used by law enforcement, this image is an animated GIF rotating between an English and Russian message, warning other ransomware gangs of the operation.

“This hidden site has been seized. The Federal Bureau of Investigation has seized this site as part of a coordinated law enforcement action against Hive Ransomware,” the seizure notice reads.

“This action was taken in coordination with the United States Attorney’s Office for the Intermediate District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice with substantial assistance from Europol.”

What is Hive ransomware?

The Hive cybercriminal gang is run as a ransomware as a service (RaaS) operation which was launched in June 2021. They are known to breach organizations through phishing campaigns, exploit vulnerabilities in devices exposed to the Internetand through purchased credentials.

Once they gain access to a corporate network, threat actors spread laterally to other devices while stealing unencrypted data to use in double extortion demands.

When they gain admin access to a Windows domain controller, they deploy their ransomware throughout the network to encrypt all devices.

Unlike many ransomware operations that claim to avoid emergency services and healthcare facilities, Hive pays no attention to who they target.

The ransomware group is responsible for numerous victims, including attacks on the Nonprofit Memorial Health System, retail giant MediaMarkt, Bell Technical Solutions (BTS)and Tata powerthem New York Racing Association.

In November 2022, the The FBI said that the ransomware operation has generated approximately $100 million from more than 1,500 companies since June 2021.