DOJ disrupts notorious ransomware group Hive

Hotstar in UAE
Hotstar in UAE

The ransomware group Hive has been on the radar of U.S. authorities due to its nefarious operations. The group has targeted more than 1,500 victims in over 80 countries, extorting hundreds of millions of dollars in ransom payments. In a recent announcement, the U.S. Department of Justice (DOJ) announced that they have successfully infiltrated and disrupted the group’s operations.

Hive Ransomware Group and their modus operandi

Hive, like many ransomware groups, operates a ransomware-as-a-service model, focusing on healthcare and public health entities. In this model, the group’s administrators create user-friendly ransomware strains and recruit affiliates to carry out attacks. These affiliates then use the software to steal data from victims and encrypt their systems, demanding a ransom in exchange for the decryption key and a promise not to publish the stolen data. If the victim pays the ransom, the administrator and affiliate split the ransom 80/20. Those who refuse, however, find their data leaked on the web.

The Illinois-based Memorial Health System was the first target of the group back in August 2021, which was followed by Costa Rica’s public health service and New York-based emergency response and ambulance service provider Empress EMS. The group also targeted companies like Tata Power, a power-generation company in India, in October.

Coordinated law enforcement action against Hive

Working alongside German and Netherlands law enforcement, the FBI carried out the operation just months after the federal government’s cybersecurity unit, CISA, sounded the alarm about Hive’s ongoing extortion efforts. The FBI confirmed it had been monitoring Hive’s computer network since July 2022, allowing federal agents to capture and offer Hive’s decryption keys to victims worldwide.

According to U.S. Attorney General Merrick Garland, ever since the operation, the DOJ has helped at least 336 victims of the Hive ransomware and prevented more than $130 million in ransom payments. Additionally, the DOJ also disrupted a Hive ransomware attack on a Louisiana hospital, preventing a $3 million ransom payment, and another attack on a school in Texas.

Now, the agency has begun dismantling Hive’s front- and back-end infrastructure in the US and abroad, which included the seizure of two of Hive’s back-end servers located in Los Angeles. While the DOJ has disrupted the group’s operations, it is still investigating the group and has not yet made any arrests.

2023-01-27 15:08:06