Remarks prepared for delivery.
Director Christopher Wray’s Remarks at Press Conference Announcing the Disruption of the Hive Ransomware Group
I’m pleased to represent the FBI here today and speak about our year-and-a-half-long disruption campaign against the Hive ransomware group.
Hive hurt thousands of victims across the country and around the world—until the FBI and our partners disrupted them, helping their victims decrypt their networks without Hive catching on, and then today dismantling Hive’s front- and back-end infrastructure in the U.S. and abroad.
This operation was led by our Tampa Field Office, assisted by our Cyber Division team at FBI Headquarters and other field office personnel across the country, but also by FBI personnel stationed around the world, who led the collaboration with our foreign law enforcement partners—often shoulder to shoulder, scrutinizing the same data—that was essential to today’s success. Especially the fine work of the German Reutlingen Police Headquarters, the German Federal Criminal Police, the Netherlands National High Tech Crime Unit, and Europol. This coordinated disruption of Hive’s networks illustrates the power of collaboration between the FBI and our international partners.
The FBI’s strategy to combat ransomware leverages both our law enforcement and intelligence authorities to go after the whole cybercrime ecosystem—the actors, their finances, their communications, their malware, and their supporting infrastructure. And since 2021, that’s exactly how we’ve hit Hive ransomware.
Last July, FBI Tampa gained clandestine, persistent access to Hive’s control panel. Since then, for the past seven months, we’ve been able to exploit that access to help victims while keeping Hive in the dark, using that access to identify Hive’s victims and to offer over 1,300 victims around the world keys to decrypt their infected networks, preventing at least $130 million in ransom payments, cutting off the gas that was fueling Hive’s fire.
Our access to Hive’s infrastructure was no accident. Across our cyber program, we combine our technical expertise, our experience handling human sources, and our other investigative tradecraft to seek out technical indicators victims can use to protect themselves.
Here, that focus on obtaining useful technical indicators led us to Hive’s decryption keys—which we turned around and provided to those in need, like when our investigative team identified the initial stages of an attack against a university, proactively notified the school, and gave the institution the technical information it needed to kick Hive off of its network before ransomware was deployed.
Or when an FBI case agent and computer scientist rushed to provide hands-on support to a local specialty clinic and helped the doctor, who also managed the clinic’s IT security, identify his office’s vulnerabilities and deploy his decryption key—because no victim is too small.
We’ve also shared keys with many victims overseas through our foreign-based Legal Attaché offices, like when we gave a foreign hospital a decryptor they used to get their systems back up before negotiations even began, possibly saving lives.
Now, as we move to the next phase of the investigation, we’ve worked with our European partners to seize the infrastructure used by these criminal actors—crippling Hive’s ability to sting again.
I’m also here today to thank those victims and private sector partners who worked with us and who helped make this operation possible by protecting its sensitivities and to demonstrate that we can and will act on the information victims share with us.
So today’s lesson for businesses large and small, hospitals and police departments, and all the other many victims of ransomware is this: Reach out to your local FBI field office today and introduce yourselves, so you know who to call if you become the victim of a cyberattack. We’re ready to help you build a crisis response plan, so when an intruder does come knocking, you’ll be prepared.
And, like the Hive victims here, when you talk to us in advance—as so many others have—you’ll know how we operate: quickly and quietly, giving you the assistance, intelligence, and technical information you want and need.
Unfortunately, during these past seven months, we found that only about 20% of Hive’s victims reported potential issues to law enforcement. Here, fortunately, we were still able to identify and help many victims who didn’t report in. But that is not always the case. When victims report attacks to us, we can help them—and others, too.
Today’s announcement is only the beginning. We’ll continue gathering evidence, building out our map of Hive developers, administrators, and affiliates, and using that knowledge to drive arrests, seizures, and other operations, whether by the FBI or our partners here and abroad.
While this is, yes, a fight to protect our country, our citizens, and our national security, make no mistake—the fight for cybersecurity spans the globe. But the FBI’s presence and partnerships do, too.
So, a reminder to cybercriminals: No matter where you are, and no matter how much you try to twist and turn to cover your tracks—your infrastructure, your criminal associates, your money, and your liberty are all at risk. And there will be consequences.