FBI Takes Down Hive Criminal Ransomware Group

A cybersecurity expert explains how the FBI’s operation against the ransomware group Hive will impact the rest of this criminal industry

Jude Buffam

In ransomware attacks, hackers encrypt a computer system and then extort victims to pay up or risk losing access to their data. Victims have included large companies such as the meat supplier JBS, major infrastructure such as the Colonial Pipeline and entire countries such as Costa Rica. The Department of Justice recently announced some rare good news about this criminal industry: The FBI infiltrated a major ransomware group called Hive and obtained its decryption keys. These keys let the ransomware victims recover their data without paying the demanded fee. The FBI's work helped affected parties avoid paying $130 million. Afterward American law enforcement worked with international partners to seize Hive's servers and take down its website.

According to the DOJ, Hive has been a major player in the ransomware space since June 2021, attacking more than 1,500 victims in more than 80 countries and extorting more than $100 million from them. “I'd say that's up there with the largest ransomware groups we've got data on, in terms of how many organizations have been impacted and how much money is being paid out,” says Josephine Wolff, an associate professor of cybersecurity policy at Tufts University. Scientific American spoke with Wolff about how the FBI took down Hive and how much of an impact this law-enforcement operation will have on other ransomware criminals.

[An edited transcript of the interview follows.]


On supporting science journalism

If you're enjoying this article, consider supporting our award-winning journalism by subscribing. By purchasing a subscription you are helping to ensure the future of impactful stories about the discoveries and ideas shaping our world today.


What action did the FBI take against Hive?

There are two parts of this, both of which are really interesting. The first thing that law enforcement did was to actually infiltrate their internal communications for a period of several months—we think going back to last summer, based on what the Justice Department has said. And because law enforcement was inside their computers and able to see who they had infected and, more important, what the decryption keys were to undo that ransomware, the Justice Department has said it was able to help lots of victims who had been targeted and actually unencrypt their systems by essentially stealing those decryption keys from the Hive servers without Hive's knowledge of what was going on. So for months you had an undercover presence in those servers of law enforcement, taking decryption keys and giving them to victims so they can recover their computers.

The second part of that, which is what just happened, is the takedown. And that's where the Justice Department actually goes in and seizes servers and removes Hive's website. For that part, it's harder to know what the long-term impacts will be because servers and websites are replaceable. So it's a good disruption, but it's not necessarily equivalent to saying, “These people will never be able to distribute ransomware again.” And my guess would be that the reason the takedown happened is because the law-enforcement presence in Hive's system had been detected. Because otherwise I think you would try to maintain that presence as long as you reasonably could.

Is the FBI likely to continue putting together operations like this that involve embedding agents in the systems of criminal organizations for months?

Honestly, I hope so. It's a tricky thing to do because many cybercriminal organizations, for obvious reasons, are fairly cautious about who has access to their servers. My guess is that this is a little bit of an anomaly, finding one that was poorly protected enough. Perhaps that is also tied to the fact that Hive is a “ransomware as a service” organization: you see them renting out their malware to a bunch of other bad actors. Therefore, it is being used quite widely by a whole bunch of different entities in this space, and they have a lot of dealings with people who are not internal, known members of their own organization but are customers buying their services. Perhaps that made it easier to introduce new people to the organization and the systems. Certainly this is something law enforcement will keep trying to do. I hope it'll be successful.

Will Hive's downfall deter other ransomware groups?

That depends a little bit on some of the next steps. I think this is not a story that's necessarily going to make cybercriminals run in fear. My guess is that some of the larger organizations are going to be sweeping their own systems and looking for any signs of a similar presence that they should pay attention to. I don't know that it's going to make anybody tone down their ransomware operations, partly because I think there's less attention to that and less fear of that for cybercriminals who operate overseas. But it's certainly going to give people some nervousness about the possibility of their own systems being infiltrated in this manner.

What else have these groups been up to lately? What's the current state of the ransomware world?

We continue to see these fairly significant, really impactful ransomware attacks on health-care institutions, at local and national government levels, at private institutions. My sense, certainly from insurers, has been that the rate of ransomware has slowed a bit in the past six months to a year—that it's not as frequent or as common as it was perhaps in 2020, 2021, at the moment when it was doing the most damage and causing the greatest number of claims. But that's not to say it's gone away.

Why is that slowdown happening?

There are different ideas about that. Many of the insurers would say, “We've gotten better at requiring policyholders to take certain measures to protect themselves”—the most straightforward of which is creating backups, requiring that everyone be able to reboot their systems if everything gets encrypted. And they think that has helped reduce, at least, the number of claims and the amount of damages caused by ransomware attacks. To some extent, the war in Ukraine throws the ransomware industry into some amount of disarray. There's a set of ransomware groups and cybercrime organizations that have people in Ukraine, often leaders based in Russia, who are starting to leak information about each other and undermine each other's efforts from within.

The other piece of it is pretty aggressive policing in the U.S. but also in Europe: trying to catch people, do takedowns and make ransomware a less lucrative crime. Some of that also centers on regulation of the cryptocurrency industry: trying to sanction certain cryptocurrency exchanges that criminals are using to process these payments. Cryptocurrency intermediaries facilitate currency payments at scale and across national borders, which is so essential for this to be a profitable business. Another thing that the U.S. government definitely is pursuing is the international partnership piece. Most of these criminals are based not in the U.S. or other countries where most of the victims are located. Taking them down requires very active collaboration with law enforcement overseas.

Are cybercriminals changing up their tactics to counter the more robust response from law enforcement?

One piece we haven't touched on a lot is the question of what happens when ransomware operators don't just encrypt a victim's system but also steal copies of all their data and then threaten, “If you don't pay a ransom, I'm going to leak all of your data online.” And that has been growing in frequency for the past couple of years. It's particularly problematic when you think about solutions we've seen, where the hope is “if we provide the decryption key, then people won't pay the ransom.” If there's a stolen copy that's being held over a victim's head, that's a less effective mitigation.

What else can we learn from Hive's takedown?

In the Department of Justice announcement, they said that when they were inside the Hive servers, they could see who was being targeted. But they were only getting reports from about 20 percent of those victims. This gives us one data point for what percent of ransomware attacks are actually being directly reported to the FBI versus the ones for which the FBI had to proactively reach out and say, “It looks like this ransomware group may have impacted you. We think we can help.” Twenty percent is a pretty low number in terms of trying to understand the scale of this problem beyond what people voluntarily report.

Sophie Bushwick is tech editor at Scientific American. She runs the daily technology news coverage for the website, writes about everything from artificial intelligence to jumping robots for both digital and print publication, records YouTube and TikTok videos and hosts the podcast Tech, Quickly. Bushwick also makes frequent appearances on radio shows such as Science Friday and television networks, including CBS, MSNBC and National Geographic. She has more than a decade of experience as a science journalist based in New York City and previously worked at outlets such as Popular Science,Discover and Gizmodo. Follow Bushwick on X (formerly Twitter) @sophiebushwick

More by Sophie Bushwick
Scientific American Magazine Vol 328 Issue 4This article was originally published with the title “Taking Down the Hive Criminal Ransomware Group” in Scientific American Magazine Vol. 328 No. 4 (), p. 24
doi:10.1038/scientificamerican0423-24