- Apr 24, 2016
The Hive ransomware operation's Tor payment and data leak sites were seized as part of an international law enforcement operation after the FBI infiltrated the gang's infrastructure last July.
Today, the US Department of Justice and Europol announced that an international law enforcement operation secretly infiltrated the Hive ransomware gang's infrastructure in July 2022, when they secretly began monitoring the operation for six months.
This operation allowed them to learn about attacks before they occurred and warn targets, and to obtain and distribute decryption keys to victims, preventing approximately $130 million in ransom payments.
“Since late July 2022, the FBI has penetrated Hive’s computer networks, captured its decryption keys, and offered them to victims worldwide, preventing victims from having to pay $130 million in ransom demanded,” the Justice Department said.
“Since infiltrating Hive’s network in July 2022, the FBI has provided over 300 decryption keys to Hive victims who were under attack. In addition, the FBI distributed over 1,000 additional decryption keys to previous Hive victims.
According to an application for a warrant, the FBI gained access to two dedicated servers and one virtual private server at a hosting provider in California that were leased using email addresses belonging to Hive members.
In a coordinated action, Dutch police also gained access to two backup dedicated servers hosted in the Netherlands.
Using this access, law enforcement confirmed that these servers acted as the operation's main data leak site, negotiation site, and web panels used by the operators and affiliates.
"In addition to decryption keys, when the FBI examined the database found on Target Server 2, the FBI found records of Hive communications, malware file hash values, information on Hive’s 250 affiliates, and victim information consistent with the information it had previously obtained through the decryption key operation," reads the affidavit.
The ransomware gang's Tor web sites now display a seizure notice listing a a wide range of other countries involved in the law enforcement operation, including Germany, Canda, France, Lithuania, Netherlands, Norway, Portugal, Romania, Spain, Sweden, and the United Kingdom.
Unlike previous seizure messages used by law enforcement, this image is an animated GIF rotating between a message in English and Russian, warning other ransomware gangs about the operation.
Today, the Hive ransomware Tor payment and data leak sites were seized as part of an international law enforcement operation involving the US Department of Justice, FBI, Secret Service, Europol, and Germany's BKA and Polizei.