The U.S. Department of Justice (DOJ) seized control of ransomware servers and websites in a months-long disruption campaign against the Hive ransomware group, which has targeted more than 1,500 victims in over 80 countries around the world, including hospitals, school districts, financial firms, and critical infrastructure.

The U.S. DOJ announced that, in coordination with German law enforcement (the German Federal Criminal Police and Reutlingen Police Headquarters-CID Esslingen) and the Netherlands National High Tech Crime Unit, it has seized control of the ransomware servers and websites that Hive uses to communicate with its members, disrupting Hive’s ability to attack and extort victims.

Since late July 2022, the FBI has penetrated Hive’s computer networks, captured its decryption keys, and offered them to victims worldwide, preventing victims from having to pay $130 million in ransom demanded. The FBI has provided over 300 decryption keys to Hive victims who were under attack. In addition, the FBI distributed over 1,000 additional decryption keys to previous Hive victims.

“The Department of Justice’s disruption of the Hive ransomware group should speak as clearly to victims of cybercrime as it does to perpetrators,” says Deputy Attorney General Lisa O. Monaco. “In a 21st century cyber stakeout, our investigative team turned the tables on Hive, swiping their decryption keys, passing them to victims, and ultimately averting more than $130 million dollars in ransomware payments. We will continue to strike back against cybercrime using any means possible and place victims at the center of our efforts to mitigate the cyber threat.”

Since June 2021, the Hive ransomware group has targeted more than 1,500 victims around the world and received over $100 million in ransom payments. 

“Our efforts in this case saved victims over a hundred million dollars in ransom payments and likely more in remediation costs,” says Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division. “This action demonstrates the Department of Justice’s commitment to protecting our communities from malicious hackers and to ensuring that victims of crime are made whole.  Moreover, we will continue our investigation and pursue the actors behind Hive until they are brought to justice.”

Hive ransomware attacks have caused major disruptions in victim daily operations around the world and affected responses to the COVID-19 pandemic. In one case, a hospital attacked by Hive ransomware had to resort to analog methods to treat existing patients and was unable to accept new patients immediately following the attack.