US shuts down major ransomware network Hive

The United States has seized the website of a major ransomware network, the US Department of Justice announced, accusing Hive ransomware actors of extorting more than $100m from more than 1,500 victims around the world.

In a statement on Thursday, US Attorney General Merrick Garland said the Department of Justice had dismantled “an international ransomware network responsible for extorting and attempting to extort hundreds of millions of dollars from victims”.

The victims included hospitals, school districts, financial firms, and critical infrastructure, the statement said.

“Cybercrime is a constantly evolving threat. But as I have said before, the Justice Department will spare no resource to identify and bring to justice, anyone, anywhere, who targets the United States with a ransomware attack,” Garland said.

A US government advisory last year said Hive ransomware actors victimised more than 1,300 companies worldwide from June 2021 through last November, receiving approximately $100m in ransom payments.

The seizure is the latest effort by the Department of Justice to tackle the scourge of ransomware, in which hackers lock up or encrypt victims’ computer networks, steal data and demand large sums.

The issue spurred national attention in the US after a cyberattack using ransomware forced a major American pipeline operator offline in 2021. The targeted company paid a multimillion-dollar ransom that the US government largely recovered.

In Thursday’s statement, the Department of Justice said the FBI infiltrated Hive’s computer networks beginning in July 2022. The FBI captured decryption keys, which were then circulated to victims worldwide to help them avoid paying $130m in ransom, it said.

“Since infiltrating Hive’s network in July 2022, the FBI has provided over 300 decryption keys to Hive victims who were under attack. In addition, the FBI distributed over 1,000 additional decryption keys to previous Hive victims,” the statement read.

Hive operated as a ransomware service, meaning anyone could hire its software and other services to help hack into and lock down a target’s IT systems, and to process payments. Hive and the client would share the profits from the extortion.

The hackers would demand large payments, often in cryptocurrency, in exchange for freeing up the systems. If victims refused to pay, Hive would publish confidential internal files and documents on the internet.

Victims included India’s Tata Power, German retail giant Media Markt, Costa Rica’s public health service, Indonesia’s state gas company and multiple US hospital groups, according to cybersecurity advisers.

During a news conference alongside Garland and other US officials on Thursday morning, FBI Director Christopher Wray said the operation to dismantle Hive’s infrastructure was done in coordination with partners in Germany and the Netherlands, as well as Europol.

US officials would not say who is behind Hive or whether any arrests would accompany the shutdown of the operation, as the investigation was continuing.

But Wray told reporters that “anyone involved with Hive should be concerned.”