Hive ransomware group was not your average crime syndicate.
Formed by a conglomeration of elite hacking teams, instead of scattered individuals, the group operated more like a parent company, licensing out its ransomware to subsidiaries worldwide. The operation was professional, and its ransomware interface was easy to use, complete with a username and password login for victims and a live chat option with the hackers. They even had a logo.
Yet, behind this sanitized facade, the crimes were still ruthless. The group targeted 1,500 entities in 80 countries, including schools and financial firms. The hackers broke into networks via phishing, virtual private networks (VPNs), and other methods, keeping an organization's data hostage through encryption and threatening to publish it publicly if the victims didn’t send a ransom in crypto.
At the height of the pandemic, the hackers’ favorite targets were health care facilities. Most were so overrun with patients, they had no choice but to pay. One hospital in particular had to treat patients with analog methods and couldn’t accept new patients because of a Hive ransomware attack, according to the Department of Justice.
Beginning in June 2021, the group extorted ransoms totaling $100 million—a figure that could’ve been much higher it weren’t for the FBI, which in July 2022 infiltrated Hive’s computer networks, poking around for seven months undetected as they helped victims and gathered evidence.
Agents at the FBI Tampa Field Office acted as a subsidiary in the Hive network, with full access. Meanwhile, they were generating decryption keys and giving them to victims to recover their data. All in all, they provided some 300 decryption keys to victims over that seven months.
“What the FBI team in Tampa did here was essentially the same model that the criminals utilized,” Bryan Smith, section chief for the FBI’s Cyber Criminal Operations Section, said on the podcast Click Here. “We gained access to the network, looked around, saw what we could do with it, and then we operated as them. We created the decryption keys and got those to the victims. What's different is that we did that through lawful authority given to us by a court.”
While the agents were undercover in Hive's network, the hackers kept hacking. Still, because the FBI agents were already on the inside, they were able to prevent those would-be victims from losing access to their files before it was too late, Mike McPherson, the special agent in charge of the FBI’s Tampa office, told Click Here.
“We’re able to see who the victims were," he said. "We can go to the victim and say, you have a problem on your network, and we can tell them what to go look for."
By preventing possible attacks, the FBI and DOJ estimate they saved victims about $130 million in ransom payments. And in January, the Justice Department announced that they had shut down Hive by coordinating with law enforcement in Germany and the Netherlands to seize the group’s servers.
"Cybercrime is a constantly evolving threat," Attorney General Merrick Garland said in a statement. "But as I have said before, the Justice Department will spare no resource to identify and bring to justice anyone, anywhere, who targets the United States with a ransomware attack."