The FBI on Thursday announced that it had successfully disrupted the operations of Hive, a ransomware gang that predominantly targeted hospitals and other healthcare providers, and prevented around $130 million in ransom payments.

Hive ransomware gang targets hospitals

Since June 2021, Hive has targeted over 1,300 companies worldwide and received roughly $100 million in ransom payment. According to AP/Modern Healthcare, the gang is considered one of the top five ransomware networks in the world.

Using a ransomware-as-a-service model, Hive developers sell ransomware codes to affiliates, who then access and encrypt victims' network sensitive information. Affiliates would then request a ransom from the victim organization for both a decryption key and a promise to not publish any of the stolen data.

Hive has been known to aggressively target hospitals and other healthcare providers, often resulting in patient care disruptions. For example, in 2021, a U.S. hospital attacked by Hive had to switch to analog methods to care for its patients and was temporarily unable to accept new patients.

FBI infiltrates Hive to stop attacks

On Thursday, U.S. Attorney General Merrick Garland announced that the FBI, along with several international partners, successfully infiltrated Hive and seized several of its websites and servers after a months-long investigation.

In July 2022, FBI agents infiltrated Hive's network, which allowed them to identify victims of the organization's attacks and provide them decryption keys to restore their systems. According to officials in the Department of Justice, this effort prevented around $130 million in ransom payments.

"The FBI and our prosecutors have been inside the network of one of the world's most prolific ransomware variants," said Deputy Attorney General Lisa Monaco. "We hacked the hackers."

On Wednesday, the FBI successfully seized computer infrastructure that supported the network in Los Angeles. Websites for leaking information from victims who refused to pay and for negotiating ransom payments were seized as part of the operation.

According to FBI Director Christopher Wray, the cooperative investigation "cut off the gas that was fueling Hive's fire" and "crippled Hive's ability to sting again."

So far, no arrests have been announced, but Wray said he believes "anyone involved with Hive should be concerned because this investigation is ongoing."

"Cybercrime is a constantly evolving threat, but as I have said before, the Justice Department will spare no resource to bring to justice anyone anywhere that targets the United States with a ransomware attack," Garland said.

In a statement, John Riggi, the American Hospital Association's national advisor for cybersecurity and risk, said that dismantling Hive's ransomware "will help make hospitals safer against high-impact ransomware attacks, which have disrupted healthcare delivery and jeopardized patient safety."

How will this development impact ransomware attacks going forward?

According to Alex Iftimie, a former cyber prosecutor who now works at Morrison Foerster, the FBI's takedown of Hive is "without question the most significant law-enforcement action to date to disrupt a ransomware group."

In general, cybersecurity experts say the FBI has evolved its approach to ransomware crimes and that cyber criminals may be less confident with their operations going forward.

"The information collected may point to affiliates, launderers and others involved in the ransomware supply chain," said Brett Callow, an analyst at the cybersecurity firm Emsisoft.

Allan Liska, an analyst at the cybersecurity firm Record Future, said the operation to take down Hive shows " law enforcement's multi-pronged strategy of arrests, sanctions, seizures and more is working to slow down ransomware attacks." According to Liska, he expects indictments, if not actual arrests, to occur in the next few months.

However, other experts caution that while the takedown is significant, it is unlikely to have much of an impact on ransomware attacks as a whole.

"The disruption of the Hive service won't cause a serious drop in overall ransomware activity but it is a blow to a dangerous group that has endangered lives by attacking the healthcare system," said John Hultquist, head of intelligence analysis at the cybersecurity firm Mandiant.

"Unfortunately, the criminal marketplace at the heart of the ransomware problem ensures a Hive competitor will be standing by to offer a similar service in their absence, but they may think twice before allowing their ransomware to be used to target hospitals," Hultquist said. (AHA News, 1/26; AP/Modern Healthcare, 1/26; Fox, Healthcare IT News, 1/27; Viswanatha/Volz, Wall Street Journal, 1/16)