[1] In January 2023, following a joint US–German investigation[2] involving 13 law enforcement agencies,[3] the United States announced that the FBI had "hacked the hackers" over several months, resulting in seizure of the Hive ransomware group's servers, effectively shuttering the criminal enterprise.
[15] Two months later, ZDNet reported that Hive had attacked at least 28 healthcare organizations in the United States, including clinics and hospitals across Ohio and West Virginia.
[17] Also in August 2021, the FBI released a flash alert on the Hive ransomware attacks that includes technical details and indicators of compromise associated with the operations of the gang.
[27] In February 2022, four researchers from Kookmin University in South Korea discovered a vulnerability in the Hive ransomware encryption algorithm, allowing them to obtain the master key and recover hijacked information.
Undercover Tampa, Florida Field Office agents acquired full access and acted as a subsidiary in the Hive network undetected for seven months, while gathering evidence and secretly generating decryption keys for victims to recover their data.
[7] On January 26, 2023, United States Attorney General Merrick Garland personally announced[4][5] that, in concert with law enforcement from 13 countries,[3] including Europol and German and Dutch police agencies, Hive had been successfully infiltrated and dismantled through server seizures, after having obtained over 1000 decryption keys,[33] which the agency had provided to 336 victims prior to shuttering the Hive digital infrastructure.
[2][4][5][31][33] The same day, the US State Department issued notice of a $US10 million bounty for information linking Hive ransomware to foreign governments, under its Transnational Organized Crime Rewards Program (TOCRP).
They had used malware called Phoenix Locker, a variation of the Hades ransomware used by Russian cybercriminal group Evil Corp.[37] Memorial Healthcare System was forced to have its hospitals use paper records, cancel procedures, and refer patients to other non-compromised facilities.
[16] Investigation by cybersecurity firm revealed, in April 2022, that an affiliate of the Hive ransomware group was targeting Microsoft Exchange servers with vulnerability to ProxyShell security issues, deploying a variety of backdoors, such as Cobalt Strike beacon, subsequently executing network reconnaissance to steal administrator account credentials, exfiltrate valuable data and deploy the file-encrypting payload.
[39][40] When Hive attacked the Bank of Zambia[41] in May 2022, it refused to pay the ransom, stating that it had means to recover its systems, and posted a link to a dick pic on the extortionists' chat.
[13] CCSS President Álvaro Ramos Chaves stated that databases with sensitive information were not compromised, though at least 30 of the institution's 1,500 servers had been contaminated with ransomware.
A sample file allegedly leaked on the dark web by Hive and scrutinized by Numerama contains passports, payslips, and other personal information regarding Intersport customers, which is seen as common practice among ransomware gangs.
Typically, the ransomware gang locks or encrypts all company data prior to threatening to publish it online if ransom demands are not met.