The infrastructure associated with the Hive ransomware-as-a-service (RaaS) operation has been seized as part of a coordinated law enforcement effort involving 13 countries.
“Law enforcement identified the decryption keys and shared them with many of the victims, helping them regain access to their data without paying the cybercriminals,” Europol said in a statement.
The U.S. Department of Justice (DoJ) said the Federal Bureau of Investigation (FBI) penetrated the Hive networks in July 2022 and captured over 300 decryption keys that were then handed over to companies compromised by the gang, effectively saving $130 million in ransom payments.
The FBI also distributed more than 1,000 additional decryption keys to previous Hive victims, the DoJ added.
Hive, which sprang up in June 2021, has been a prolific cybercrime crew, launching attacks against 1,500 organizations in no less than 80 countries and netting it $100 million in illicit profits.
Targeted entities spanned a wide range of verticals, including government facilities, communications, critical manufacturing, information technology, and healthcare.
According to statistics collected by MalwareBytes, Hive claimed 11 victims in November 2022, placing it at the sixth spot behind Royal (45), LockBit (34), ALPHV (19), BianLian (16), and LV (16).
“Some Hive actors gained access to victim’s networks by using single factor logins via Remote Desktop Protocol, virtual private networks, and other remote network connection protocols,” Europol explained.
“In other cases, Hive actors bypassed multifactor authentication and gained access by exploiting vulnerabilities. This enabled malicious cybercriminals to log in without a prompt for the user’s second authentication factor by changing the case of the username.”
The international operation consisted of authorities from Canada, France, Germany, Ireland, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden, the U.K., and the U.S.