(Bloomberg) -- Hive ransomware was seized after a joint US-German law enforcement crackdown that thwarted $130 million in demands for payment from more than 1,500 victims around the world, according to law enforcement authorities.

The FBI penetrated the group’s website starting in July, captured its decryption keys and offered them to victims in 80 countries, which included hospitals, schools, financial firms and critical infrastructure, according to the US Justice Department. The US then coordinated with law enforcement in Germany and the Netherlands.

“The Justice Department will spare no resource to identify and bring to justice anyone anywhere who targets the United States with a ransomware attack,” Attorney General Merrick Garland said at a press conference in Washington on Thursday. “Together with our international partners we will continue to disrupt the criminal networks that deploy these attacks.

The seizure won’t seriously reduce overall ransomware activity but is “a blow to a dangerous group” and could send a signal to hackers, John Hultquist, vice president for intelligence analysis at Mandiant Inc., said in a statement. 

Hive Rival ‘Standing By’

“Unfortunately, the criminal marketplace at the heart of the ransomware problem ensures a Hive competitor will be standing by to offer a similar service in their absence, but they may think twice before allowing their ransomware to be used to target hospitals,” Hultquist said.

He said such law enforcement actions “add friction to ransomware operations” and that “Hive may have to regroup, retool, and even rebrand,” and added: “Until we can address the Russian safehaven and the resilient cybercrime marketplace, this will have to be our focus.”  

US officials have accused Moscow of enabling Russian-speaking cybercriminals to act by failing to crack down on ransomware originating within the country’s borders. Moscow has denied the claim. The Hive seizure screen alternates between English and Russian. 

Read More: Fewer Companies Are Paying Ransoms to Hackers, Researchers Say

The seizure stemmed from an investigation of a cyberattack against a company last year. Cyberspecialists with the police in the southern German city of Esslingen traced the scam to the Hive network and gave their international law enforcement partners “the crucial clue,” Stuttgart prosecutors said in a statement. 

An investigative team led by the FBI infiltrated the hive network, watched its activity and stole the keys, Deputy Attorney General Lisa Monaco said.

‘We Hacked the Hackers’

“Simply put, using lawful means, we hacked the hackers,” Monaco said.

The Hive site on Thursday had a notice saying the Federal Bureau of Investigation had seized it “as part of a coordinated law enforcement action taken against Hive Ransomware.”

The Hive group over about three years received more than $100 million in ransom payments from 1,500 victims, causing disruptions around the world that affected responses to the Covid pandemic, among other attacks. The Justice Department said in a statement Thursday that one attack left a hospital forced to use analog methods to treat patients and unable to accept new patients.   

Along with breaching organizations and demanding an extortion fee, Hive would broadcast stolen information, including patient data and employee information from victims, the FBI said last year. The technique represented a kind of double-extortion tactic that intruders increasingly use to step up the pressure on their victims to pay a fee, usually in Bitcoin.

Microsoft Alert

The Hive hacking group was first observed in June 2021, according to the US. 

Hive victims have included the Bank of Zambia, which last year said it declined to pay a ransom, as well as US health care providers and Indonesia’s state-backed oil and gas company.

Read More: Ransomware Attackers Get Short Shrift From Zambian Central Bank

Microsoft Corp. has released a security alert about the group, saying Hive has emerged as one of the most prevalent examples of the “ransomware as a service” model. That description applies to cybercriminal groups that lease access to their tools to separate partners, taking a cut of the proceeds after a successful digital extortion.

(Adds expert analysis in second section.)

©2023 Bloomberg L.P.