After months of a “cyber stakeout” in which law enforcement officials lawfully hacked the hackers, one of the top ransomware gangs in the world had their servers seized and their operations dismantled. DataBreaches reported the seizure earlier this morning.
Hive ransomware gang has been the subject of numerous posts on DataBreaches over the past two years, and the subject of federal advisories by CISA and HHS. Federal officials estimate that Hive has attacked more than 1,500 victims since 2021.
Its attacks have been costly to victims in terms of ransom payments demanded to unlock files, as well as in recovery fees. Attacks on the healthcare sector have also interfered with patient care, such as a midwestern hospital that had to divert patients following an attack and that had to use paper and pencil recording when their patient record system could not be accessed.
Hive is estimated to have collected more than $100 million in ransom payments. Authorities estimate that it would have been more than $230 million if not for the fact that law enforcement gained access to Hive’s control panel in July of 2022 and has been disrupting their attacks since then. Over the past months, law enforcement was able to warn victims so they could avert locking, and also gave decryption keys to more than 300 victims and saved them from having to make ransom payments. More than 1,000 earlier victims were also provided with decryption keys.
In a press conference this morning, Attorney General Merrick Garland, Deputy Attorney General Lisa O. Monaco, and FBI Director Christopher Wray provided some details of the operation and thanked their non-U.S. partners who collaborated in bringing Hive’s operations down.
As Deputy Attorney General Monaco explained, they had lawful authority to hack the hackers, and that is what they did.
Only 20% of Hive’s victims ever reported their attacks to law enforcement, and all of the speakers today urged victims of ransomware attacks to come forward and seek law enforcement’s help. The fact that law enforcement might be able to give victims a decryptor key might encourage or persuade more future victims to contact law enforcement.
The FBI Field Office, Orlando Resident Agency is investigating the case. No arrests were announced at today’s press conference and Attorney General Garland declined to answer any questions as to whether any arrests might be forthcoming.
Trial Attorneys Christen Gallagher and Alison Zitron of the Criminal Division’s Computer Crime and Intellectual Property Section and Assistant U.S. Attorney Chauncey Bratt for the Middle District of Florida are prosecuting the case.
DOJ’s press release can be found on DOJ’s site.
Impact on the Medical Sector
Although Hive hit a number of sectors, its activities in the healthcare sector have always been of the biggest concern to DataBreaches. The following is a list of U.S. healthcare sector victims claimed by Hive over the past two years. In most cases, Hive provided proof of claims, even though not all victims would publicly acknowledge the attack. In at least one of the cases below, the victim denied that they were the victim, but Hive insisted that they were.
- Consulate Health
- Lake Charles Memorial Health
- Hendry Regional Medical Center
- Sigmund Software VSS
- Tift Regional Medical Center (Southwell)
- NCG Medical
- Empress Emergency Medical Services
- Baton Rouge General Medical Center/ General Health System
- SERV Behavioral Health System
- LaVan & Neidenberg DisabilityHelpGroup
- Exela Technologies
- GoodmanCampbell Spine
- Supernus Pharmaceuticals
- Johnson Memorial Health
- MAS & Coronis Health
- Greenway Health
- Partnership HealthPlan
- First Choice Community Healthcare
- Missouri Delta Medical Center
Coverage can be found for many of the above by searching DataBreaches.net.
Post updated to add links to Deputy AG Monaco’s remarks and AG Garland’s remarks.