The Biden administration on Thursday disclosed its monthslong effort to disrupt the Hive ransomware gang, which the U.S. government said attacked more than 1,500 targets across more than 80 countries.
The Justice Department and FBI worked with allies in foreign governments to dismantle Hive’s operation that took aim at hospitals, schools, financial firms and others. The FBI infiltrated Hive’s computer networks in July 2022, and Deputy Attorney General Lisa Monaco said the government hid while aiding victims.
“For months, we helped victims defeat their attackers and deprive the Hive network of extortion profits,” Ms. Monaco told reporters. “Simply put, using lawful means, we hacked the hackers.”
Ransomware involves malicious software infecting a system and holding data hostage while cybercriminals aim to extort payment and information from victims. The Justice Department said it swiped the encryption keys for victims to unlock their data, including keys for more than 300 people under attack and more than 1,000 who were previously hit.
Attorney General Merrick Garland said the U.S. government then acted Wednesday night to shut down the cybercriminals’ infrastructure.
“Finally, and this is what happened last night, we take down the infrastructure, we take down the servers that power Hive’s ability to go ahead,” Mr. Garland told reporters. “We can only do that once we locate where the servers are, and that’s what we were able to do just very, very recently and resolve the matter last night.”
The takedown of Hive’s operation may force it to regroup and rebrand, but ransomware gangs are not disappearing, said John Hultquist, head of threat intelligence at Google-owned Mandiant.
“The disruption of the Hive service won’t cause a serious drop in overall ransomware activity, but it is a blow to a dangerous group that has endangered lives by attacking the health care system,” Mr. Hultquist said in a statement. “Unfortunately, the criminal marketplace at the heart of the ransomware problem ensures a Hive competitor will be standing by to offer a similar service in their absence, but they may think twice before allowing their ransomware to be used to target hospitals.”
Europol, a law enforcement agency, said the operation involved 13 countries: the U.S., Canada, France, Germany, Ireland, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden and the U.K.