Europol supported the German, Dutch and US authorities to take down the HIVE ransomware infrastructure. Law enforcement identified the decryption keys and shared them with many of the victims, helping them regain access to their data without paying the cybercriminals. Around €120 million was saved due to mitigation efforts. This international operation involved authorities from 13* countries.
HIVE ransomware has been identified as a major threat as it has been used to compromise and encrypt the data and computer systems of large IT and oil multinationals in the EU and the USA. Since June 2021, over 1,500 companies from over 80 countries worldwide have fallen victim to HIVE associates and lost almost €100 million in ransom payments.
Affiliates executed the cyberattacks, but the HIVE ransomware was created, maintained and updated by developers. Affiliates used the double extortion model of ‘ransomware-as-a-service’:
- first, they copied data and then encrypted the files.
- Then, they asked for a ransom to both decrypt the files and to not publish the stolen data on the Hive Leak Site.
- When the victims paid, the ransom was then split between affiliates (who received 80 %) and developers (who received 20 %).
Europol streamlined victim mitigation efforts with other EU countries, which prevented private companies from falling victim to HIVE ransomware. Law enforcement provided the decryption key to companies which had been compromised in order to help them decrypt their data without paying the ransom. This prevented the payment of more than US$130 million or the equivalent of about €120 million of ransom payments.
Europol facilitated the information exchange, supported the coordination of the operation and funded operational meetings in Portugal and the Netherlands. Europol also provided analytical support linking available data to various criminal cases within and outside the EU, and supported the investigation through cryptocurrency, malware, decryption and forensic analysis.
The EAST Expert Group on Payment and Transaction Fraud (EPTF) focuses on the security of payments and transactions and covers the prevention of ransomware within its brief. The 14th EAST EPTF meeting took place on 9 November 2022.