An international ransomware network that extorted more than $100 million from hundreds of victims around the world has been brought down following a monthslong infiltration by the FBI, the Department of Justice announced Thursday.

The group known as Hive targeted more than 1,500 victims, including hospitals, school districts and financial firms in more than 80 countries, the Justice Department said. Officials say the most recent victim in Florida was targeted about two weeks ago.

In a breakthrough, FBI agents armed with a court order infiltrated Hive’s computer networks in July 2022, covertly capturing its decryption keys and offering them to victims, saving the targets $130 million in ransom payments, officials said.

Attorney General Merrick Garland speaks during a news conference at the Department of Justice in Washington, Jan. 26, 2023.

Attorney General Merrick Garland speaks during a news conference at the Department of Justice in Washington, Jan. 26, 2023.

“Cybercrime is a constantly evolving threat. But as I have said before, the Justice Department will spare no resource to identify and bring to justice, anyone, anywhere, who targets the United States with a ransomware attack,” Attorney General Merrick Garland said at a press conference.

Working with German and Dutch law enforcement, the FBI on Wednesday took down the servers that power the Hive network.

“Simply put, using lawful means, we hacked the hackers,” Deputy Attorney General Lisa Monaco said.

While no arrests have been made in connection with the takedown, FBI Director Christopher Wray warned that anybody involved with Hive should be concerned, because this investigation is very much ongoing.

“We’re engaged in what we call ‘joint sequenced operations’ … and that includes going after their infrastructure, going after their crypto and going after the people who work with them,” Wray said.

FBI Director Christopher Wray speaks during a news conference at the Department of Justice in Washington, Jan. 26, 2023.

FBI Director Christopher Wray speaks during a news conference at the Department of Justice in Washington, Jan. 26, 2023.

In a ransomware attack, hackers lock in a victim’s network and then demand payments in exchange for providing a decryption key.

Hive used a “ransomware-as-a-service” model where so-called “administrators” develop a malicious software strain and recruit “affiliates” to deploy them against victims.

Officials said Hive affiliates targeted critical U.S. infrastructure entities.

In August 2021, at the height of the COVID-19 pandemic, Hive affiliates attacked a Midwest hospital’s network, preventing the medical facility from accepting any new patients, Garland said.

It was only able to recover the data after it paid a ransom.

Hive’s takedown is the latest in the Biden administration’s crackdown on ransomware attacks that are on the rise, costing businesses and organizations billions of dollars.

U.S. banks and financial institutions processed nearly $1.2 billion in suspected ransomware payments in 2021, more than double the amount in 2020, the Department of the Treasury’s Financial Crimes Enforcement Network (FinCen) reported in November.

Roughly 75% of the ransomware attacks reported in 2021 had a nexus to Russia, its proxies or persons acting on its behalf, according to FinCen.

An illustration of a ransomware attack. (Graphics by Diaa Bekheet)

An illustration of a ransomware attack. (Graphics by Diaa Bekheet)

The top five highest-grossing ransomware tools used in 2021 were connected to Russian cyber actors, according to FinCen.

Officials would not say whether Hive had any link to Russia.

The Biden administration views ransomware attacks not just as a “pocketbook issue” that affects ordinary Americans but increasingly as a growing national security threat that calls for a coordinated response.

Last year, the White House hosted a two-day international ransomware summit where participants from 36 countries agreed to create a fusion cell at the Regional Cyber Defense Center in Lithuania, followed by an International Counter Ransomware Task Force later this year.