The FBI recently took down prolific ransomware group, Hive, preventing $130m being taken through attacks. How did this happen and what does it mean, if anything, for other ransomware groups?

Who is Hive?

Hive is a notorious ransomware group that has attacked more than 1500 victims in over 80 countries since June 2021, and has taken more than $100m. They also offer Ransomware-as-a-Service (RaaS).

What happened to them?

In January 2023, the FBI announced that they, along with international law enforcement partners, had taken down the group by seizing its servers and removing its website. Months before, the FBI had infiltrated the group and managed to obtain more than 300 decryption keys which they were able to pass on to victims. This meant they could retrieve their data without having to pay the ransom. In total, the FBI was able to prevent $130m being lost. According to Deputy Attorney General Lisa Monaco, “simply put, using lawful means, we hacked the hackers,”

How did this happen?

It’s not clear exactly how the FBI was able to infiltrate the group, especially as ransomware groups are usually wary of allowing access to their servers. However, given Hive was a RaaS organisation as well, they were likely more used to dealing with unknown customers which could have made it easier to introduce external people (such as undercover FBI) into the group. 

What does this mean for the future of ransomware attacks?

Whilst Hive was a big player in the space, it was only one of many, so attacks haven’t stopped. According to Adam Meyers of CrowdStrike, they responded to 28 ransomware attacks in January from five groups. Only one attack was by Hive. And the move by the FBI is unlikely to deter other groups, especially as they haven’t yet arrested anyone. As Josephine Wolff, associate professor of cybersecurity policy at Tufts University explains, “I think this is not a story that’s necessarily going to make cybercriminals run in fear. My guess is that some of the larger organisations are going to be sweeping their own systems and looking for any signs of a similar presence that they should pay attention to.”