The Department of Justice announced this week that FBI agents successfully disrupted Hive, a notorious ransomware group, and prevented $130 million worth of ransom campaigns that targets no longer need to consider paying. While claiming the Hive group has been responsible for targeting over 1,500 victims in over 80 countries worldwide, the department now reveals it had infiltrated the group’s network for months before working with German and Netherlands officials to shut down Hive servers and websites this week.

“Simply put, using lawful means, we hacked the hackers,” Deputy Attorney General Lisa Monaco remarked during a press conference.

The FBI claims that by covertly hacking into Hive servers, it was able to quietly snatch up over 300 decryption keys and pass them back to victims whose data was locked up by the group. US Attorney General Merrick Garland said in his statement that in the last few months, the FBI used those decryption keys to unlock a Texas school district facing a $5 million ransom, a Louisiana hospital that had been asked for $3 million, and an unnamed food services company that faced a $10 million ransom.

“We turned the tables on Hive and busted their business model,” Monaco said. Hive had been considered a top-five ransomware threat by the FBI. According to the Justice Department, Hive has received over $100 million in ransom payments from its victims since June 2021.

Hive’s “ransomware-as-a-service (RaaS)” model is to make and sell ransomware, then recruit “affiliates” to go out and deploy it, with Hive administrators taking a 20 percent cut of any proceeds and publishing stolen data on a “HiveLeaks” site if someone refused to pay. The affiliates, according to the US Cybersecurity and Infrastructure Security Agency (CISA), use methods like email phishing, exploiting FortiToken authentication vulnerabilities, and gaining access to company VPNs and remote desktops (using RDP) that are only protected with single-factor logins.

A CISA alert from November explains how the attacks target businesses and organizations running their own Microsoft Exchange servers. The code provided to their affiliates takes advantage of known exploits like CVE-2021-31207, which, despite being patched since 2021, often remain vulnerable if the appropriate mitigations haven’t been applied.

Once they’re in, their pattern is to use the organization’s own network management protocols to shut down any security software, delete logs, encrypt the data, and, of course, leave behind a HOW_TO_DECRYPT.txt ransom note in encrypted directories that connects victims to a live chat panel to negotiate over ransom demands.

Hive is the biggest ransomware group the feds have taken down since REvil in 2021 — which was responsible for leaking MacBook schematics from an Apple supplier as well as the world’s largest meat supplier. And earlier that year, groups like DarkSide successfully walked away with a $4.4 million payout after penetrating Colonial Pipeline’s systems in an incident that caused national gas prices to skyrocket. The most expensive ransomware attack to be publicized, however, is insurance company CNA Financial, which ended up paying hackers $40 million.

The FBI, during its stakeout of Hive, found more than 1,000 encryption keys tied to previous victims of the group, and FBI Director Christopher Wray noted that only 20 percent of detected victims reached out to the FBI for help. Many victims of ransomware attacks refrain from contacting the FBI for fear of repercussions from the hackers and scrutiny in their industries for failing to secure themselves.

Since hackers are getting their paydays, however, it’s giving the ransomware industry fuel to keep going at it. The FBI hopes it can convince more victims to come forward and work with them instead of buckling to the demands. “When a victim steps forward, it can make all the difference in recovering stolen funds or obtaining decryptor keys,” Monaco said.