FBI's landmark takedown of Hive ransomware 'unlikely' to land significant impact

Abstract image of a ghost on a digital screen
(Image credit: Getty Images)

The US’ Federal Bureau of Investigation (FBI) announced that it infiltrated the Hive ransomware operation’s networks as far back as July 2022, preventing £104 million worth of ransomware payments from being made.

News of the ransomware organisation's deep web domain was becoming seized circulated social media on Thursday before official confirmation came from EUROPOL and the FBI hours later.

It was also revealed that the FBI used offensive security tactics to infiltrate the ransomware gang’s network - a rarity for such an operation.

Law enforcement agencies have only used offensive measures to defend against cyber criminals on only a handful of occasions previously.

During a 2021 operation jointly carried out by a number of international law enforcement (LE) agencies, including the FBI, the REvil ransomware gang was also infiltrated via an LE-led hacking mission.

While not strictly hacking, Dutch LE also famously took over and ran the Hansa dark web marketplace in 2017 during Operation Bayonet.

In the takedown of Hive, the FBI said it first infiltrated its network in July 2022. During the period it had visibility into the organisation's inner workings, it said it was able to provide more than 300 decryption keys to victims to victims under active attack.

More than 1,00 additional decryption keys were also distributed to previous victims.

Ransomware victims rarely recover the entirety of their files, even when they pay the ransom. Having access to a working decryptor can, in some cases, help achieve a more comprehensive file recovery process.

The FBI didn’t detail exactly how it was able to infiltrate the cyber criminal organisation, only that it did so as part of an operation involving 13 countries in total, including Germany, the Netherlands, the UK, and more.

A screenshot of the seizure notice when visiting Hive's deep web domain

The seizure notice displayed when visiting Hive's deep web domain (Image credit: EUROPOL)

With the seizure of Hive’s domain, it now means the gang cannot continue to conduct its operations and extort victims.

“The coordinated disruption of Hive’s computer networks, following months of decrypting victims around the world, shows what we can accomplish by combining a relentless search for useful technical information to share with victims with investigation aimed at developing operations that hit our adversaries hard,” said Christopher Wray, director at the FBI.

“The FBI will continue to leverage our intelligence and law enforcement tools, global presence, and partnerships to counter cyber criminals who target American business and organisations.”

‘A drop in the ocean of cyber crime’

Takedowns like this are rare but so too are the lasting effects. LE agencies will likely see this as a win but in similar cases historically, the cyber criminals that work for such operations are often elusive and end up working for rival gangs.

The BlackCat ransomware group, for example, was launched around December 2021 and cyber security experts were quick to link its members to those who previously worked for BlackMatter and those who evaded capture during the takedown of REvil a few months prior.

“Taking down Hive won’t create a significant drop in overall global ransomware activity, but it's definitely a win for law enforcement and a signal to other nefarious cyber criminal gangs that their actions now have significant consequences.

“A coordinated takedown of a major ransomware group like Hive, which accounted for a large portion of ransomware as a service (RaaS) activity in 2022, can disrupt the RaaS market and decrease successful attacks,” said Immanuel Chavoya, senior manager of product security at SonicWall, to IT Pro.

“However, other threat actors will likely fill the void left in the wake of the Hive takedown."

The most common outcome in cases such as the takedown of Hive is that LE targets the seniormost members and focuses their legal efforts in bringing them to justice.

Lower-level staff can sometimes go underground and find new work elsewhere in the thriving cyber crime and ransomware scenes.

“While the world may be celebrating the seizing of Hive’s infrastructure, it doesn’t mean the ransomware gang is gone forever,” said Mark Lamb, CEO at HighGround.

“The infrastructure is just one element of the gang’s success and until law enforcement captures the criminals, there is a high chance they will resurface under a new identity with brand new infrastructure ready to terrorise again. Do DarkSide or BlackMatter ring any bells?

“While the takedown and seizing of the decryption key is brilliant and a major win for law enforcement, the threat of ransomware still looms.”

What is the Hive ransomware gang?

Since its launch in June 2021, Hive has been one of the most prolific RaaS operations in existence globally.

In December 2022, security firm Zscaler named it in a list of the top 11 active ransomware operations of the past year.

Hive’s affiliates have successfully attacked more than 1,500 organisations across more than 80 countries globally, according to the FBI’s figures.


Six myths of SIEM

Things have changed when it comes to SIEM solutions


The gang’s affiliates are also known for deploying double extortion tactics whereby they will breach their victim’s systems first, steal sensitive data, and then run their encryptor payload locking the organisation out of their files.

Double extortion methodology was developed to counter the rise in organisations refusing to pay ransom demands, instead restoring their IT estates from backups.

In not paying ransom demands in double extortion scenarios, victims run the risk of incurring data protection regulatory penalties for not adequately securing their customers’ data, for example.

Like many new ransomware strains, including BlackCat, Hive rewrote its ransomware payload executable in Rust in 2022 due to its memory safety, while retaining its cross-platform targeting capabilities from its previous version written in Go.

Hive’s affiliates have claimed attacks on high-profile organisations such as the New York Racing Association, India’s Tata Power, and French telco Altice.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.