US Dismantles Ransomware Network Behind More Than $100M in Extortion




Washington — An international ransomware network that extorted more than $100 million from hospitals and other organizations around the world has been brought down following a monthslong infiltration by the FBI, the Justice Department said Thursday.

The Hive ransomware group, known to operate since June 2021, targeted more than 1,500 victims, including hospitals, school districts and financial firms in more than 80 countries, DOJ and FBI officials said at a press conference. The network’s most recent victim in Florida was targeted about two weeks ago.

FBI agents, who penetrated the group’s computer networks last summer and thwarted multiple attacks, seized its two Los Angeles-based servers Wednesday night, while taking control of darknet sites used by its affiliates, officials said.

German and Dutch police took part in the international law enforcement action.

Attorney General Merrick Garland speaks during a news conference at the Department of Justice in Washington, Jan. 26, 2023. Attorney General Merrick Garland speaks during a news conference at the Department of Justice in Washington, Jan. 26, 2023.

Attorney General Merrick Garland and other top law enforcement officials announced the operation.

"Cybercrime is a constantly evolving threat,’ Garland said. ‘But as I have said before, the Justice Department will spare no resource to identify and bring to justice anyone, anywhere, who targets the United States with a ransomware attack."

In a ransomware attack, hackers encrypt the data on a victim’s network and then demand payments in exchange for providing a decryption key.

Hive used a "ransomware-as-a-service" model in which highly skilled developers build the malware and then recruit less-sophisticated affiliates to deploy them against victims.

Garland said Hive affiliates targeted "critical infrastructure and some of our nation’s most important industries."

In August 2021, at the height of the COVID-19 pandemic, Hive affiliates attacked a Midwest hospital’s network, preventing the medical facility from accepting new patients, Garland said.

The hospital was able to recover its data only after paying a ransom, the attorney general said.

While no arrests have been made in connection with the operation, FBI Director Christopher Wray warned that "anybody involved with Hive should be concerned, because this investigation is very much ongoing."

FBI Director Christopher Wray, with Deputy Attorney General Lisa Monaco and Attorney General Merrick Garland, speaks during a news conference at the Justice Department in Washington, Jan. 26, 2023. FBI Director Christopher Wray, with Deputy Attorney General Lisa Monaco and Attorney General Merrick Garland, speaks during a news conference at the Justice Department in Washington, Jan. 26, 2023.

"We’re engaged in what we call ‘joint sequenced operations’ ... and that includes going after their infrastructure, going after their crypto and going after the people who work with them," Wray said.

FBI agents infiltrated Hive from July 2022 until its seizure, covertly capturing its decryption keys and sharing them with victims, saving the targets $130 million in ransom payments, officials said.

"Simply put, using lawful means, we hacked the hackers," Deputy Attorney General Lisa Monaco said.

In all, the FBI provided more than 300 victims with decryption keys, Garland said, among them a Texas school district, a Louisiana hospital, and a food services company that had been asked to make millions of dollars in ransom payments. The FBI also distributed more than 1,000 additional decryption keys to previous Hive victims.

The takedown represents a win for the Biden administration’s efforts to crack down on a recent surge in ransomware attacks that cost businesses and governments around the world billions of dollars a year.

U.S. banks and financial institutions processed nearly $1.2 billion in suspected ransomware payments in 2021, more than double the amount in 2020, the Treasury Department’s Financial Crimes Enforcement Network (FinCen) reported in November.

Roughly 75% of the ransomware attacks reported in 2021 had a nexus with Russia, its proxies or persons acting on its behalf, according to FinCen, which also says the top five highest-grossing ransomware tools used in 2021 were all connected to Russian cyberactors.

Officials would not say whether Hive had any known links to Russia.

John Bennett, a former senior FBI official who is now managing director of the Cyber Risk Business Unit at Kroll, a cybersecurity services company, noted that the seizure notice on Hive’s website, written in both English and a Slavic language, suggests it is aimed at an Eastern European audience.

"The fact that it is basically being broadcast in a [Slavic] language, I think, is telling that that’s the target audience that they’re letting know that they got this," Bennett said in an interview.

The gang’s takedown, Bennett said, is a sign of what is coming.

"I think this is telling that law enforcement is catching up very quickly to the capabilities of getting inside of these groups," Bennett said.