Hive used a “ransomware-as-a-service” model, where its developers sold their ransomware code to affiliates, who carried out the actual attacks – an arrangement that makes it harder for authorities to identify and investigate the hackers behind the group.
A sign displaying an hidden site that was seized is seen during a press conference in Washington DC on 26 January.
The group was particularly notorious for targeting hospitals and schools. In the summer of 2021, Hive carried out a ransomware attack on a hospital in the US midwest that prevented it from accepting new patients and forced it to run all of its operations with paper records.
The FBI started to work with victims in July 2022 to identify Hive’s targets and then sought court orders and search warrants to enter Hive’s systems, officials said, before ultimately seizing Hive’s servers and websites that its members used to communicate and carry out the attacks.
“This is not exactly hiding in plain sight, this is just hiding. We hide and we watch as they proceed with their attacks and we discover the keys and deliver the keys to victims,” the attorney general, Merrick Garland, said.
The department did not announce arrests on Thursday and declined to discuss the possibility of charges against Hive’s members, who are known to communicate in Russian, or ties to the Kremlin because the investigation with law enforcement in Germany and the Netherlands remains ongoing.
The treasury department has estimated that ransomware attacks cost US organizations $886m in 2021, the most recent year for which data is available.
Russia does not extradite its citizens, and the White House has failed to convince the Kremlin in recent years to prosecute its cybercriminals. At least some of the most infamous hacking gangs, including the Fancy Bears group, have been connected to its state security services.
