FBI shuts down ransomware gang that targeted schools and hospitals

In one August 2021 case, a nonprofit Ohio network of hospitals had to cancel urgent surgeries as its staff moved to paper charts.

Garland, FBI Director Christopher A. Wray and their top deputies described the dismantling of Hive as a major victory in the government’s efforts to fight ransomware with novel methods. Law enforcement was able to hack Hive and infiltrate its networks for seven months, officials said, stealing the decryption keys and quietly giving them to more than 100 victims before seizing Hive servers in the United States and Europe on Monday night, knocking them offline and preventing new infections.

Officials said they have not made any arrests, but the investigation is continuing.

“Cybercrime is a constantly evolving threat,” Garland said. “But as I have said before, the Justice Department will spare no resource to identify and bring to justice anyone, anywhere, who targets the United States with a ransomware attack.”

The latest cyberattack on health care shows how vulnerable the system is

Hive ransomware was first detected in June 2001. It rapidly became one of the most active ransom networks in the United States, notable for attacking sensitive organizations that many rival gangs avoided.

Hive’s approach included what has been termed “double extortion,” in that it would charge a fee to release a decryption key so that targets could recover access to their data and would also charge not to publish patient information and other critical data on a site dedicated to such leaks that has now been shut down.

Officials said that the FBI and its law enforcement allies have been helping victims regain access to their files without paying the ransoms since July 2022. Law enforcement officials said they have helped at least 300 victims under attack, saving more than $130 million in ransom payments.

“We hacked the hackers,” Deputy Attorney General Lisa Monaco said. “We turned the table on Hive.”

Officials credited German and Dutch authorities and Europol for helping in the case.

Researchers said Hive’s gang included veterans of one of the most notorious Russian-speaking ransomware gangs, Conti. Conti splintered after a Ukrainian member leaked internal chats that revealed leaders bragged of contacts with Russia’s Federal Security Service (FSB).

“That doesn’t necessarily mean they were controlled by the Russian government,” said Allan Liska, intelligence analyst at security company Recorded Future. “But most of these groups headquartered in Russia at least operate with the tacit approval of the Russian government and likely have these loose government contacts.”

Hive’s public but “dark Web” site, unreachable by regular internet browsers, showed that it had been seized, and its back-end servers were also unreachable Thursday, Liska said, essentially putting it out of business.

Other gangs have been able to move to new infrastructure and regroup in the past. The FBI has at times seized money and returned it to victims or obtained decryption keys, but never on the scale of the Hive operation, Wray said.