Emergence and growing profile Hive ransomware first became apparent in June 2021. Two months later,
ZDNet reported that Hive had attacked at least 28 healthcare organizations in the United States, including clinics and hospitals across
Ohio and
West Virginia. In August 2021, the FBI released urgent updates warning of the risks from Hive ransomware, as did
INCIBE in Spain, the following January. Hive's administrator panel showed that its affiliates had breached more than 350 organizations over four months with an average of three companies attacked every day since Hive operations were revealed in late June. Chainalysis ranked Hive eighth on the list of highest ransomware revenue in February 2022. In July 2022, Malwarebytes ranked Hive as the third-most active ransomware group, noting that the group was evolving and that Microsoft had issued a warning stating that HIVE had upgraded the malware to the Rust programming language, upgrading to a more complex encryption method.
Conti links According to
Advanced Intelligent Systems expert Yelisey Boguslavskiy and BleepingComputer, Hive had links to
Conti ransomware group since at least November 2021, with some Hive members working for both groups. with some of the Conti hackers migrating to these organizations, including Hive, though the rival group has denied having any connection with Conti despite which, once the process of closing operations began and its hackers reached Hive, it then began to employ the tactic of publishing leaked data on the deep web, just as Conti had. days after the DOJ announced two indictments of an active Conti operator and Russian national on May 16, 2022, then partnered with Hive to attack the Costa Rica public health service and Costa Rican Social Security Fund (CCSS) the following week.
Discovery of vulnerabilities and FBI infiltration In February 2022, four researchers from
Kookmin University in South Korea discovered a vulnerability in the Hive ransomware encryption algorithm, allowing them to obtain the master key and recover hijacked information. In July 2022, the FBI infiltrated Hive. Undercover
Tampa, Florida Field Office agents acquired full access and acted as a subsidiary in the Hive network undetected for seven months, while gathering evidence and secretly generating decryption keys for victims to recover their data. The FBI worked with victims to identify Hive's targets, then entered Hive's systems after obtaining court orders and search warrants before eventual seizure of Hive's digital infrastructure, which its members used to communicate and carry out the attacks. In November 2022,
Cybersecurity and Infrastructure Security Agency (CISA) issued a Cybersecurity Advisory detailing Hive ransomware mitigation methods, noting that the group had, since June 2021, then victimized over 1,300 companies globally, and had acquired approximately US$100 million in ransom payments. Two months later, when dismantled by law enforcement, Hive had added 200 more companies as to victims in 80 countries. including
Europol and German and Dutch police agencies, Hive had been successfully infiltrated and dismantled through server seizures, after having obtained over 1000 decryption keys, The same day, the US State Department issued notice of a $US10 million bounty for information linking Hive ransomware to foreign governments, under its Transnational Organized Crime Rewards Program (TOCRP).
2023 arrests As part of an Europol investigation, on 21 November 2023 Ukraine authorities searched 30 objects in
Western Ukraine and apprehended 5 men, including the alleged leader of the group, a 32 year old. They confiscated an unspecified amount of
bitcoins equivalent to a six-figure amount of
euros from one of the suspects. Europol stated that additional suspects were still under investigation. == Attacks ==