Hive Ransomware Gang Disrupted; Servers and Dark Web Site Seized

The FBI and Europol have obtained decryption keys for the Hive ransomware, which they have already shared with victims.

The Hive ransomware is known for targeting schools, hospitals, and critical infrastructure in the EU and the US.

The international law enforcement community has scored a significant victory against cybercrime with the disruption of a Hive ransomware gang and the seizure of their dark web website called The Hive Leak site. For your information, Hive used the website to announce new hacks and leaks.

Acting on intelligence gathered from multiple sources, the FBI, Europol, German, Dutch and other agencies also managed to seize Hive’s servers disrupting Hive’s ability to attack and extort victims.

It is worth mentioning that authorities have also obtained and shared decryption keys with the victims of the Hive ransomware, preventing them from paying a ransom of $130 million.

In the Department of Justice (DoJ) press release, FBI Director Christopher Wray said that “The coordinated disruption of Hive’s computer networks, following months of decrypting victims around the world, shows what we can accomplish by combining a relentless search for useful technical information to share with victims with investigation aimed at developing operations that hit our adversaries hard.”

“The FBI will continue to leverage our intelligence and law enforcement tools, global presence, and partnerships to counter cybercriminals who target American businesses and organizations,” added Director Wray.

At the time of writing, the official website of the Hive Ransomware gang displayed the following message in English and Russian:

“The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Hive Ransomware.”

Hive Ransomware Gang Disrupted; Servers and Dark Web Site Seized
Hive ransomware gang’s dark web domain right now (Image:

The Hive ransomware gang is alleged to have been responsible for numerous successful attacks on organizations located around the world. Some of its targets included school districts, large IT and oil multinationals, financial firms, critical government and private infrastructure and hospitals.

The ransomware gang has made over $100 million in ransom from more than 1,500 victims since June 2021. In one of its attacks, the targeted hospital was forced to shut down its operation and move to analogue methods. The ransomware attack also impacted the hospital’s capability to treat existing and new patients.

Hive’s Modus Operandi: RaaS

The modus operandi of the Hive ransomware gang involved using Ransomware-as-a-Service (RaaS), a type of cybercrime in which a hacker creates and distributes ransomware, and then rents it out to other individuals or groups who use it to carry out attacks and demands payment from victims.

RaaS allows individuals or groups with little or no technical knowledge to carry out ransomware attacks, making it a growing threat in the cyber security landscape.

Like other ransomware gangs, Hive stole data from targeted networks, lock the company out of their system and demanded ransom. The victim company would be given decryption keys to unlock its network but in case the gang’s demands were not met; it would leak the stolen data on its dark web domain.

If the ransom was paid, the affiliates and administrators split the ransom 80/20, a mechanism which is known in the cybercrime community as a “double-extortion model.”

In a conversation with, Duncan Greatwood, CEO of Xage Security said that “Critical infrastructure attacks result in widespread impacts, draw international attention and increase the success of a ransomware payout. Every second of downtime at energy, utilities, hospitals and other critical infrastructure around the world can leave communities stranded and even cost lives, forcing parties to respond quickly.”

“Today’s announcement is a win for the DOJ and I applaud their efforts but we also need to be realistic. Adversaries are smart and this win is bound to be short-lived. If we don’t shift our mindset and find ways to not only stop them but also prevent them from getting in the first place, we’ll continue to see these attacks succeed,” Duncan warned.

He suggested that “It’s paramount that critical infrastructure operators embrace the latest technology and security measures to go beyond just detecting and reacting to these attacks and instead prevent them by blocking them at the source.”

This latest action will go a long way towards reducing cybercrime activity in affected regions and should serve as a warning to other criminal groups considering similar activities.

  1. DoubleVPN used by ransomware gangs seized
  2. DarkSide ransomware quits after Bitcoin, servers are seized
  3. NetWalker ransomware disrupted – Crypto and domain seized
  4. Cl0p ransomware group members arrested, infrastructure seized
  5. Police Tricked Deadbolt Ransomware Into Sharing Decryption Keys
Related Posts