DOJ and Europol Announce Disruption of Hive Ransomware

Today, the U.S. Department of Justice (DOJ) and Europol announced the disruption of the Hive ransomware strain, following a joint law enforcement action by U.S., German, and Dutch authorities to seize Hive’s servers and the darknet domain it used to communicate with victims and post data stolen from them. 

Below, we’ll provide information on Hive’s ransomware activity over the last year and tell you more about why today’s shutdown is great news not just for the cryptocurrency and cybersecurity communities, but for businesses around the world.

What is Hive ransomware?

Hive ransomware has been one of the most prolific ransomware strains since launching in 2021, collecting at least $100 million in victim payments during that time, with some individual payments reaching into the tens of millions. Hive was especially active in 2022, with many affiliates previously associated with the Conti ransomware strain migrating to Hive after Conti announced support for the Russian Federation in February 2022 and shut down soon thereafter. 

Like many other ransomware organizations, Hive has no qualms about attacking critical infrastructure providers such as hospitals, and has also posted sensitive data stolen from victims in an attempt to extort them more effectively. We can see Hive representatives using the threat of data leaks as a negotiating tactic in the chat screenshot below.

Hive was also one of many ransomware strains to rely on now-sanctioned cryptocurrency exchange Garantex to launder funds extorted from victims. 

The takedown: How authorities infiltrated Hive and saved victims $130 million

Attorney General Merrick Garland explained today that authorities breached Hive’s servers in July 2022, enabling them to capture the decryption keys necessary to recover files encrypted by the ransomware gang. Authorities distributed those decryption keys to Hive victims in the following months, allowing them to weather the attacks without paying, saving victims a total of over $130 million. That sum is huge in the world of ransomware considering Chainalysis data suggests ransomware victims collectively paid $475 million to attacks in 2022, though we acknowledge this is a lower-bound estimate and that the true total is almost certainly more.

We have attributed much of the drop in ransomware payments between 2021 and 2022 to victims’ increasing unwillingness to pay, as they have enhanced their cybersecurity to the point that payment is often unnecessary. However, today’s announcement indicates that this government action alone was a significant driver of the drop as well. It’s also possible that other ransomware strains’ infrastructure has been infiltrated by authorities in much the same way — we won’t know until there’s an announcement.

The takedown of Hive is a huge victory for cryptocurrency, cybersecurity, law enforcement, and national security. It’s indicative of governments’ increasing ability to counter ransomware attackers, and also highlights the benefits of victims reporting incidents to law enforcement and of international cooperation in disrupting these cybercriminal organizations. We commend all agencies involved in today’s action, and look forward to working with our government partners in the future to continue the fight against ransomware.

This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.

Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.