US Offers $10 Million Reward for Info About Hive Ransomware Leaders
The U.S. government appears eager to finish off what’s left of the notorious Hive ransomware group, offering a $10 million reward for information that leads to the identification and location of any of the leaders of the gang.
The State Department on top of that is offering another $5 million for information that results in the arrest or conviction of anyone in any country who participated or tried to participate in Hive’s operations.
The bounties come more than a year after the law enforcement agencies from the United States and other countries seized the ransomware group’s front- and back-end infrastructure – including servers and websites – Hive used to communicate with members. The FBI also gave decryption keys to more than 1,300 Hive victims, essentially enabling them to regain control over their captured data.
“Today’s announcement complements the Department of Justice announcement that, with Europol, the German and Dutch authorities, and the United States Secret Service, it had seized control of Hive’s servers and websites, thereby disrupting Hive’s ability to further attack and extort victims,” the State Department said in a statement.
The rewards are being offered through the State Department’s Transnational Organized Crime Rewards Program, which targets criminal organizations whose operations cross national lines.
A Lot of Victims, A Lot of Money
The government says the Hive ransomware variant, which emerged in 2021, harmed more than 1,500 victims in more than 80 countries, including the United States. Victims of the group and its affiliates included governments, organizations in the communications, critical manufacturing, and IT sectors, and particularly healthcare and public head organizations, according to an advisory in late 2022 from the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services.
The group racked up more than $100 million in ransoms and the FBI estimated that distributing the encryption keys to victims likely averted $130 million in potential ransoms.
Significant Effects of Takedown Operation
However, researchers with Chainalysis believe that number is too conservative. In a ransomware report this week, the blockchain analyst firm said the takedown of the Hive group and the decryption keys were significant factors in the incidence of ransomware attacks and the relatively low amount of ransomware payments by Hive and every other threat group – $567 million – collected in 2022.
The FBI had infiltrated Hive’s operations for six months that year. During that time, total ransomware payments reached $290.35 million, according to Chainalysis.
“But our statistical models estimate an expected total of $500.7 million during that time period, based on attacker behavior in the months before and after the infiltration — and that’s a conservative estimate,” the researchers wrote in the report, which found that ransomware payments in 2023 exceeded $1 billion. “Based on that figure, we believe the Hive infiltration may have averted at least $210.4 million in ransomware payments.”
The FBI’s $130 million reduced payment estimate looked only at ransoms averted by provisioning the decryptor keys, but didn’t account for what Chainalysis called “knock-on effects.” Hive operated a ransomware-as-a-service (RaaS), with affiliates renting or leasing the groups code to run their own ransomware attacks and kicking back some of the ill-gotten gains to the Hive group itself.
“The Hive infiltration also most likely affected the broader activities of Hive affiliates, potentially lessening the number of additional attacks they could carry out,” the researchers wrote.
‘Banker’ Arrested in France
David Walker, FBI’s Tampa Division special agent in charge, told Chainalysis that the “Hive investigation is an example of a gold standard for deploying the key services model. The FBI continues to see, through its investigations and victim engagements, the significant positive impact actions such as the Hive takedown have against cyber threat actors. We will continue to take proactive disruptive measures against adversaries.”
In December 2023, French police arrested a Russian national believed to be a “banker” involved in laundering some of the money the Hive group received through its operations. French authorities said he was suspected of having several millions of dollars in his crypto wallets that were considered suspicious and, after his arrest, an analysis of his phone revealed crypto assets worth more than $614,000, which was seized.