Hive ransomware gang taken down after FBI hacks back

The FBI hacked into Hive’s servers, stole its decryption keys and then took down its servers in a major action that has successfully disrupted a prolific and dangerous ransomware operation

Alex Scroxton

By

Published: 27 Jan 2023 7:47

In one of the largest international cyber law enforcement actions seen to date, the Hive ransomware cartel’s infrastructure was hacked, its decryption key “stolen” and distributed to victims, and its servers seized, bringing an end to an 18-month crime spree that had stolen over $100m from around 1,500 victims including hospitals, schools, financial services organisations and critical infrastructure.

The extent of the operation, revealed for the first time yesterday (26 January) by the US Department of Justice (DoJ), was such that it pulled in law enforcement agencies from Canada, France, Germany, Ireland, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden, the UK and the US, with the European agencies coordinated through Europol.

With the FBI leading the way, Hive’s infrastructure was first penetrated in July 2022 and its decryption keys exfiltrated. The keys have since been handed out to 300 Hive victims under active attack, and over 1,000 previously attacked victims, saving an estimated $130m (£105.1m) in potential ransom payments. An independent researcher made a Hive decryption tool available at approximately the same time – it is not known if there is a link to the operation.

Then, earlier this week and working with the Dutch national cyber crime unit, German federal police and local authorities in the state of Baden-Württemberg, the FBI was able to seize control of the servers and websites that Hive used, disrupting the gang’s ability to attack and extort any more victims.

“The Department of Justice’s disruption of the Hive ransomware group should speak as clearly to victims of cyber crime as it does to perpetrators,” said deputy US attorney general Lisa Monaco.

“In a 21st century cyber stakeout, our investigative team turned the tables on Hive, swiping their decryption keys, passing them to victims, and ultimately averting more than $130m in ransomware payments. We will continue to strike back against cyber crime using any means possible and place victims at the centre of our efforts to mitigate the cyber threat.”

Paul Foster, deputy director of the UK National Crime Agency’s (NCA’s) National Cyber Crime Unit, added: “Hive was a service which enabled cyber criminals to steal millions from businesses across the globe, with several UK organisations suffering significant disruption and financial losses.

Servers of the Hive strand of ransomware were taken offline on 26 January

“The combined might of international law enforcement, which includes NCA officers, is a tremendous example of action to take down illegal IT infrastructure. We continue to work closely with partners to bolster our capability to tackle this national security threat and strengthen the UK’s response to cyber crime.

“I would urge any businesses that may have been a victim  of cyber crime to come forward and report such incidents to law enforcement.”

Hospital hit by Hive was forced to turn away patients

Despite its relative youth, the Hive ransomware cartel was firmly established as one of the more prolific and dangerous ransomware-as-a-service (RaaS) operations, operating a subscription-based model whereby it recruited affiliates to do its dirty work while taking a 20% cut of ransom payments for itself.

At one time the most prolific ransomware family observed by incident responders at Google Cloud’s Mandiant, accounting for 15% of intrusions to which it responded last year.

The ransomware locker itself was under active development and was notably entirely rewritten in the Rust programming language in mid-2022, likely in an attempt to hinder analysis and throw researchers and investigators off its trail. Rust is one of a number of multiplatform languages valued by RaaS operators for their flexibility and ability to quickly and easily target both Windows and Linux environments.

Hive was used by multiple actors, according to Mandiant, but one of the most enthusiastic Hive operators was UNC2727, also tracked as Gold Ulrick or Wizard Spider, which was previously known as the Conti ransomware operation that targeted the Irish Health Service Executive in May 2021.

The affiliates accessed their target networks using a number of tried-and-tested methods, often through single factor logins via the remote desktop protocol (RDP) tool, but also using virtual private networks (VPNs) and other remote network connection protocols, exploiting FortiToken vulnerabilities, and phishing emails containing malicious attachments. Hive affiliates are also known to have exploited the ProxyShell vulnerability chain in Microsoft Exchange Server.

The malware used the well-established double extortion technique which not only encrypted victims’ data and rendered it inaccessible, but also stole and published the data on a dark web leak site, causing further distress and embarrassment, and acting as an additional “incentive” for its victims to pay up. It caused major disruption to victims’ operations, in one case attacking a hospital that had to resort to analogue methods to treat existing patients, and was unable to accept new patients in the wake of its attack.

In the UK, the NCA said that Hive affiliates had hit approximately 50 victims, including in the housing, haulage, commercial and education sectors.

Cyber crime market will prove resilient

However, despite the success of the joint operation, experts tend to assess that the ransomware underground will take the disruption of Hive very much in its stride. Indeed, it is possible, even likely, that individuals associated with Hive are already firming up links with other operations – similarities have already been noted between Hive and an emerging ransomware, Play, thought to be behind the December 2022 attack on UK car dealer Arnold Clark.

John Hultquist, head of Mandiant Threat Intelligence, said: “The disruption of the Hive service won’t cause a serious drop in overall ransomware activity but it is a blow to a dangerous group that has endangered lives by attacking the healthcare system.

“Unfortunately, the criminal marketplace at the heart of the ransomware problem ensures a Hive competitor will be standing by to offer a similar service in their absence, but they may think twice before allowing their ransomware to be used to target hospitals.”

He continued: “Actions like this add friction to ransomware operations. Hive may have to regroup, retool, and even rebrand. When arrests aren’t possible, we’ll have to focus on tactical solutions and better defence. Until we can address the Russian safe haven and the resilient cyber crime marketplace, this will have to be our focus.”

Read more on Hackers and cybercrime prevention

Read More
Luz Mischke

Latest

Will Bitcoin Boom in 2026? Keeping Cryptocurrency Players Informed

By NFTevening March 6, 2026 Bitcoin has served to define the cryptocurrency community since its initial launch in 2009. While representing nothing more than an interesting investment opportunity at one time, this stablecoin has since become extremely popular throughout the online gaming community as an alternative payment method. However, even Bitcoin is not immune to

At climate summit, African leaders call for a bigger role in energy transition

African leaders called for regional cooperation and more climate investments, as the second Africa Climate Summit opened this Monday in Addis Ababa. Heads of state urged the continent to play a bigger role in the transition to a cleaner global economy. Speaking at the opening event, Ethiopian Prime Minister Abiy Ahmed said it's time to

USA Cruise, Morocco Take Control, Brazil Advance On World Cup Day 9

```html id="s7wthc" ``` By Newspot Nigeria Sports Desk Day Nine of the 2026 FIFA World Cup brought four more group-stage matches and a clear theme across the schedule: teams that needed control went out and took it. The United States defeated Australia 2-0 to book a place in the next round, Morocco edged Scotland to

Cancer: Nigeria empowers patients with N50m lifetime

….As 200 beneficiaries get N100.000 each  AKOR SYLVESTER, Abuja The federal government has unveiled a N50 million Social Determinants of Health (SDoH) Fund to support cancer patients to enable them to meet the challenges of transportation, accommodation, feeding and other non-medical issues. The Minister of State for Health and Social Welfare, Iziaq Adekunle Salako, who

Newsletter

Don't miss

Will Bitcoin Boom in 2026? Keeping Cryptocurrency Players Informed

By NFTevening March 6, 2026 Bitcoin has served to define the cryptocurrency community since its initial launch in 2009. While representing nothing more than an interesting investment opportunity at one time, this stablecoin has since become extremely popular throughout the online gaming community as an alternative payment method. However, even Bitcoin is not immune to

At climate summit, African leaders call for a bigger role in energy transition

African leaders called for regional cooperation and more climate investments, as the second Africa Climate Summit opened this Monday in Addis Ababa. Heads of state urged the continent to play a bigger role in the transition to a cleaner global economy. Speaking at the opening event, Ethiopian Prime Minister Abiy Ahmed said it's time to

USA Cruise, Morocco Take Control, Brazil Advance On World Cup Day 9

```html id="s7wthc" ``` By Newspot Nigeria Sports Desk Day Nine of the 2026 FIFA World Cup brought four more group-stage matches and a clear theme across the schedule: teams that needed control went out and took it. The United States defeated Australia 2-0 to book a place in the next round, Morocco edged Scotland to

Cancer: Nigeria empowers patients with N50m lifetime

….As 200 beneficiaries get N100.000 each  AKOR SYLVESTER, Abuja The federal government has unveiled a N50 million Social Determinants of Health (SDoH) Fund to support cancer patients to enable them to meet the challenges of transportation, accommodation, feeding and other non-medical issues. The Minister of State for Health and Social Welfare, Iziaq Adekunle Salako, who

A befitting garland for UBA GMD, Alawuba @ 60

THOMAS IMONIKHE 08051000465 There is no iota of doubt that the Group Managing Director (GMD) of United Bank for Africa Plc and Chairman Body of Banks’ CEOs, Oliver Chukwudum Alawuba, an astute banker and one of Nigeria’s top corporate business leaders, who clocks three scores Saturday June 20, has made tremendous impact in the nation’s

Business seminar in Munich highlights Hong Kong’s strategic roles amidst global shifts (with photos)

Business seminar in Munich highlights Hong Kong's strategic roles amidst global shifts (with photos) ******************************************************************************************      The Hong Kong Economic and Trade Office, Berlin (HKETO Berlin), promoted Hong Kong's unique advantages and strategic roles at the seminar "Hong Kong's strategic role amidst geopolitical tensions" on June 18 (Munich time) in Munich, Germany.             Senior executives, investors

AI for business services: From job fears to productivity

AI for business services: From job fears to productivity

Business Insurance-AZ Achieves Record Response Times for 2026 Arizona Construction Bids

Business Insurance-AZ achieves milestone response speeds for commercial construction bids across Arizona, accelerating documentation delivery to keep local projects moving forward without delay. Phoenix, AZ, June 06-2026, ZEX PR WIRE — Business Insurance-AZ has achieved record-breaking processing speeds and response times for commercial construction bids throughout Arizona, directly supporting the state’s massive infrastructure and advanced manufacturing boom