Hive, the infrastructure of the ransomware band dismantled thanks to an international operation

A joint operation by international police forces has seized and taken offline the assets of the Hive ransomware gangafter the FBI managed to conduct a successful undercover operation last July.

Ransomware gang’s Tor websites now display seizure notice signed by multiple law enforcement agencies, including those of Canada, France, Germany, Lithuania, Norway, Netherlands, Portugal, Romania, Spain, Sweden and United Kingdom.

The US Department of Justice and theEuropoltoday announced the results of the operation. “Since late July 2022, the FBI has penetrated the Hive network, stolen the keys to decrypt the archives and shared them with victims around the world, thus avoiding the payment of a total of 130 million dollars in ransoms” the Justice Department said.

The FBI succeeded in the course of this operation a recover over 300 keys to provide to Hive victims and another 1000 keys to victims previously affected by ransomware gang activity. The police also managed to gain access to two dedicated servers and a virtual private server at a Californian ISP, which they leased using emails belonging to members of the Hive gang. In parallel, the Dutch police gained access to two backup servers located in the Netherlands.

This proved to be Operation Hive’s core IT infrastructure, examining which it was possible to find communication logs, malware hash values, information about its 250 gang affiliates, and information about victims.

The Hive collective has created a “Ransomware-as-a-Service” activity starting from June 2021. The compromise of the victims’ networks takes place through phishing campaigns or by exploiting known vulnerabilities in devices exposed to the Internet, or even through valid credentials purchased as a result of third-party database thefts.

Once the first access point to a network has been established, the attackers then spread “horizontally” to other devices, stealing information and subsequently encrypting it so as to be able to implement a mechanism at “double extortion”: the ransom is demanded not only to unlock the encrypted files, but also behind the threat of spreading the stolen information. Hive has also shown a certain ruthlessness in choosing its victims, having no problem targeting healthcare organizations and emergency services.

Among the best known victims of Hive are the Memorial Health System, MediaMarkt, Bell Technical Solutions, Tata Power and the New York Racing Association. In the course of its activity, since June 2021, Hive has scored numerous hits for a loot which, according to FBI analyzes dating back to November 2022, stands at over 100 million dollars extorted from more than 1500 realities.

After seizing Hive’s computer assets, the US State Department offered a reward up to $10 millionfor anyone who may have information to share and can link the ransomware group to foreign governments.

Not the first time the State Department has offered bounties for this purpose: in the last two years, up to $15 million has been offered for information that can help identify members of the Conti, REvil and Darkside ransomware operations.