In July, the FBI confiscated the group’s infrastructure as part of an international law enforcement operation, including their Tor payment and data leak sites.

Six months of covert surveillance of the Hive ransomware gang’s infrastructure was revealed by the U.S. Department of Justice and Europol in January 2023.

This operation enabled them to detect impending attacks, alert targets, and collect and distribute decryption keys to victims, saving an estimated $130 million in ransom payments.

According to the Justice Department bulletin, the FBI has been working since late July 2022 to infiltrate Hive’s computer networks, grab its decryption keys, and distribute them to victims worldwide to prevent them from paying the $130 million ransom.

Over 300 Hive victims have been given decryption keys after the FBI infiltrated the Hive network in July 2022. The FBI also sent over a thousand more decryption keys to former Hive inmates.

An application for a warrant states that the FBI accessed three servers at a California hosting provider, two dedicated and one virtual private, by using email addresses believed to belong to members of the Hive.

By working together, the Dutch police could also break into two other Dutch-hosted backup systems.
Hive Ransomware

“This hidden site has been seized. The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Hive Ransomware,” reads the seizure notice.

Thanks to this access, law enforcement verified that the servers in question served as the primary data leak site, negotiation site, and web panels for the operation’s administrators and affiliates.

The FBI verified the accuracy of the information it had obtained through the decryption key operation by comparing it to the database discovered on Target Server 2. This database contained records of communications between Hive members, hash values for malware files, details on 250 affiliates, and victim information.

Germany, Canada, France, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden, and the United Kingdom are some of the nations included in a seizure notice posted on the ransomware group’s Tor domains.
This graphic is an animated GIF alternating between an English and Russian message to alert other ransomware groups.

In other words, who is Hive?

A ransomware-as-a-service, Hive was released by cybercriminals in June of 2021. (RaaS). They often get access to networks by phishing, security flaws in internet-connected devices, or by acquiring credentials.

After hackers get into a company’s network, they steal unprotected customer data and use it as leverage in extortion demands.

They compromise a Windows domain controller and exploit it to propagate their ransomware over the network, locking users out of their own devices.
However, unlike other ransomware groups who claim to avoid targeting healthcare institutions, Hive does not pick and choose which targets they attack.

The victims of the ransomware group’s attacks have ranged from the non-profit Memorial Health System to the retail giant MediaMarkt to the telecoms firms Bell Technical Solutions (BTS) and Tata Power to the New York Racing Association.

In November 2022, the FBI said that over 1,500 companies had paid the ransom, bringing the total amount collected from the scheme to almost $100 million since June 2021.


Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.


About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

This website uses cookies to improve your online experience. By continuing, we will assume that you are agreeing to our use of cookies. For more information, visit our Cookie Policy.

Privacy Preference Center