Hive ransomware infrastructure seized by law enforcement (Jan. 2023)

Sicherheit (Pexels, allgemeine Nutzung)[German]In a coordinated action, international law enforcement agencies have seized the infrastructure of the Hive Ransomware group. This means that the group can no longer accept payments via its Tor website. Investigators from the Netherlands, Germany and the US were involved in the action. This is yet another case of law enforcement hitting back and breaking up websites and infrastructure of a cybercriminal group.


Currently, there is probably no official announcement from the law enforcement agencies yet. But many media outlets are already reporting on the seizure action and the group's website shows a seizure logo.

EUROPOL seized HIVE ransomware group's Tor domain

German broadcasting station Tagesschau reports here that the Stuttgart prosecutor's office, together with U.S. justice authorities and other law enforcement agencies, has broken up the Hive ransomware gang's internationally operating network. "A large number of servers were seized, data and accounts of the network and its users were secured," Stuttgart prosecutors and Reutlingen police headquarters said.

The ransomware group had been active since June 2021 and attacked more than 1500 companies worldwide. In Germany, there were about 70 victims, law enforcement officials said. Three of those victims are based in Baden-Württemberg, so the Esslingen Criminal Investigation Department was involved. Their investigators got on the trail of the network during investigations into a company affected there, they said. By the way, a list of the victims can be viewed on this website.

A joint statement from U.S. Attorney General Merrick Garland, FBI Director Christopher Wray and U.S. Deputy Attorney General Lisa Monaco said investigators penetrated Hive's network. Investigators then monitored the gang and secretly stole the digital keys the ransomware group used to unlock victim organizations' data. "We hacked the hackers using legal means," Reuters quotes Lisa Monaco as saying. "We turned the tables on Hive".


German Tagesschau

quotes Udo Vogel, Police Chief of Reutlingen, as saying, "Once again, it has been shown that intensive cooperation across national borders and continents, characterized by mutual trust, is the key to fighting serious cybercrime effectively. We are grateful to be part of this exceptional network with highly professional partners and to be able to make our contribution to such successes." According to EU police agency Europol, Hive also attacked critical healthcare and IT infrastructure, including hospitals, phone providers and factories.

News of the infrastructure takedown spread a few hours ago when Hive's website was replaced with a flashing message that said, "The Federal Bureau of Investigation has seized this website as part of a coordinated law enforcement effort against Hive Ransomware."

Hive was one of the most prolific among a variety of cybercriminals who extort international companies by encrypting their data and demanding massive payments in cryptocurrency in return. In addition, data siphoned off in the attack was published on a hive leak page to put pressure on victims.

In an alert distributed in November, the FBI stated that cybercriminals linked to Hive have victimized more than 1,300 companies worldwide and received around $100 million in ransom payments. Currently, the FBI says that the number of companies attacked has risen to 1,500 and that the hack of the Hive networks has thwarted ransom payments of about $130 million. It will be interesting for victims to see when law enforcement will provide decryption tools in cooperation with security companies.

Similar articles:
Decryptor for Hive ransomware v1 till v4 released
Hive ransomware gang looted 100 million from 1,300 victims (including Media Markt)
Anatomy of a Hive Ransomware Attack on Exchange via ProxyShell

Cookies helps to fund this blog: Cookie settings


This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *