Skip Navigation
BlackBerry Blog

Hive Ransomware: $100 Million in Profits, Then the FBI Hid Inside Their Network

Update 3.14.23: The Newfoundland and Labrador government says the Hive ransomware group was behind a cyberattack that paralyzed the province's healthcare system, according to CBC News. Learn more."

Somehow, the Hive ransomware gang missed the presence of an unexpected guest inside their network. That “miss” cost them their infrastructure and millions in profits from ongoing ransomware attacks. And now it’s triggering an international search for cybercriminals involved with the operation.

This is the story of a 21st-century cyber stakeout.

“Hacking the Hackers” Involved in Hive Ransomware

The BlackBerry Threat Research & Intelligence team documented Hive ransomware just days after it began operating in the summer of 2021. One year later, the FBI says the group and its Ransomware-as-a-Service (RaaS) affiliates had hauled in at least $100 million in ransoms. That money came from schools, hospitals, and hundreds of other victim organizations around the globe. The organizations paid ransom demands out of desperation to get decryption keys to unlock their systems and data, and to keep Hive from publishing data it stole in each attack. This type of “double extortion” method has proven extremely effective.

As the ransomware attacks continued, investigators from Germany, the Netherlands, and Europol worked with the FBI to uncover operational details about the group. And then, something remarkable happened during the summer of 2022. The FBI and federal prosecutors in the U.S. slipped inside the group’s infrastructure.

“Unbeknownst to Hive...our investigative team lawfully infiltrated Hive’s network and hid there for months — repeatedly swiping decryption keys and passing them to victims to free them from ransomware,” Assistant U.S. Attorney General Lisa Monaco explains. “Simply put, using lawful means, we hacked the hackers.”

Specifically, they accessed Hive’s control panel.

Hive ransomware service portal login page (source: BlackBerry Threat Research & Intelligence Team blog, “Bee-Ware of Hive Ransomware")

Once on “the inside” of Hive’s operation, agents watched the RaaS group attack organizations and demand ransoms.

This leads to the next twist in the story: the part where the FBI handed out decryption keys like candy.

Inside the Hive: Secretly Saving Victims Millions

For seven months, agents at the FBI’s Tampa, Florida, office buzzed around inside Hive’s digital operations collecting evidence, but also quietly offering to help 1,300 Hive attack victims around the world. FBI Director Christopher Wray says they followed technical indicators that led to Hive’s decryption keys and then shared them, for free, with victims. “We gave a foreign hospital a decrypter they used to get their systems back up before negotiations (with the threat actors) even began, possibly saving lives.”

In some cases, agents learned of attacks in the preliminary stages, where attackers had accessed a victim’s network and started moving laterally to locate the most valuable data, but they had not yet executed the “noisy part” of the attack, which encrypts the network. Wray says the FBI helped in these cases, too.

“Our investigative team identified the initial stages of an attack against a university, proactively notified the school, and gave it the actual information that it needed to kick Hive off of its network before ransomware was deployed.”

In all, the U.S. DOJ says it saved victim organizations from paying up to $130 million in additional ransoms. And all this work allowed law enforcement to close in on Hive’s digital hive, which was humming away in California.

Hive Ransomware’s California Servers

According to partially redacted search warrants, the FBI seized two servers from a hosting company in California, as well as backups and virtual servers in the EU. These seizures allowed officials to shut down the group’s operations, stopping it for now.

The investigation also uncovered details of how the RaaS group conducted business, including how it handled its affiliates, and yielded clues that allowed the FBI to track down and help many victims. The affidavit states:

“Through the affiliate (control) panel, the affiliate creates a record for each victim, enters information about the victim, downloads the Hive ransomware for the infection, and then tracks progress including the creation date, encryption date, and payment date. The data entered via the affiliate panel are stored in the backend database. Affiliates can also track negotiations with victims and request their cut of the ransom payment by clicking the “payout” button.”

Hive ransomware affiliate dashboard (source: U.S. Department of Justice)

Investigators say they also uncovered a slew of additional evidence from the servers, including malware file hash values, which are akin to digital fingerprints. All of this pushes the investigation into its next phase: the hunt for the actual people involved with these global ransomware attacks.

“We're going to continue gathering evidence, building out our map of Hive developers, administrators, and affiliates, and using that knowledge to drive arrests, seizures, and other operations, whether by the FBI or other partners here and abroad,” says FBI Director Wray. 

BlackBerry Threat Intelligence Perspective on the Hive Takedown

For perspective about this disruption to the Hive ransomware group, we spoke with BlackBerry Most Distinguished Threat Researcher Dmitry Bestuzhev. The BlackBerry team of global threat researchers tracks dozens of cyber threat actors, including Hive.

Q.  Dmitry, what are your initial thoughts about the Hive investigation, and regarding law enforcement efforts to curtail cybercriminal operations?

A.  While security researchers are working on preventing, detecting, and remediating cyber threats, the community needs a root cause treatment. In other words, cybersecurity companies like BlackBerry work on researching and analyzing threats and developing defensive technologies against them.

However, we must understand that those threats are human-developed. If the threat actors behind it are free and operating, it will be a never-ending story. As a security industry, we are not in a position to disrupt or arrest. However, it is different for law enforcement agencies, and it is positive to witness these operations in action to make the cyber world safer. 

Q.  Our most-read story on the BlackBerry blog right now is Emotet Returns, which follows the threat group’s resurgence after disruption by law enforcement. If Hive returns or a competitor fills the void, how does disrupting a cybercrime operation still benefit organizations around the world?

A.  A complete disruption includes both cyber and real-life operations. In other words, to make it successful, the individuals behind it must be arrested, too. Otherwise, a rebirth may take place through a new network infrastructure or a new name, as has been happening with different ransomware families.

However, it's not a trivial task. Even when a law enforcement agency knows who is behind it, given the geographical location of the threat actor, it might be impossible to proceed with an arrest. Or it might take a few years before one or more group members carelessly travel abroad and then get arrested there. That is the main reason we have seen threats return, or rebrand over and over.

Q.  What did the Hive operation teach us about how organizations can reduce the risk of a successful ransomware attack in their environment?

There is no silver bullet to protect a company. However, first things first. This is about effective threat modeling. Who are your threat actors? How do they operate? What is the potential impact of loss if they attack me?

To answer those questions and to get ready, one needs cyber threat intelligence based on context, anticipation, and actionable countermeasure rules. On the other hand, companies must continue building resilient infrastructures based on zero trust architectures. The goal is to lessen the risk by converting factual knowledge into actionable measures.

There is one more remarkably interesting piece of information shared by the U.S. DOJ after the disruption of the Hive ransomware operation: Out of all the victims successfully attacked by the group, only 20% reported the crime to law enforcement. Eight out of ten successful attacks resulted in illegal profits without risk. Those are frighteningly good odds for ransomware operators. It is encouraging to see law enforcement take aggressive action to rebalance the scales, but we can only imagine how those odds would be affected if more victims stepped up and reported the crimes perpetrated against them.

Find Out More

The BlackBerry team just published the new BlackBerry Cybersecurity Global Threat Intelligence Report which examines other major ransomware groups and how organizations can protect themselves. The detailed knowledge shared in the report provides context — and actionable cyberthreat intelligence — that can reduce the impact of threats to your organization.

For similar articles and news delivered to your inbox, please subscribe to the BlackBerry Blog.
Bruce Sussman

About Bruce Sussman

Bruce Sussman is Senior Managing Editor at BlackBerry.