Hive
Russian-speaking ransomware-as-a-service operation active from mid-2021 through January 2023. Best known publicly for the May 2022 compromise of the Costa Rican government — which prompted Costa Rica's president to declare a national emergency — and for sustained healthcare-sector targeting. The FBI infiltrated Hive's infrastructure in July 2022, covertly captured decryption keys for victims for seven months (preventing approximately $130M in ransom payments), and on 26 January 2023 seized Hive's leak site and command infrastructure in coordination with German and Dutch police.
Aliases
Motivations
Target sectors
Target countries
Diamond Model
Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.
MITRE ATT&CK techniques
Timeline
2 events- SanctionHigh2023-01-26·U.S. Department of Justice
DOJ/FBI/Europol disrupt Hive ransomware; seize site + decryptors
U.S. Attorney General Merrick Garland announced that DOJ, FBI, Europol, and German and Dutch police had run a seven-month covert infiltration of Hive's infrastructure, capturing decryption keys and quietly providing them to victims — preventing an estimated $130M in ransom payments. The operation culminated in the seizure of Hive's leak site and command infrastructure, effectively dismantling a brand that had extorted $100M+ from ~1,500 victims across 80 countries since mid-2021.
takedownransomwarefbieuropol - CompromiseCritical2022-05-31·Caja Costarricense de Seguro Social
Hive ransomware compromises Costa Rican Social Security Fund
Hive operators encrypted systems at the Caja Costarricense de Seguro Social (CCSS), Costa Rica's social-security fund, weeks after the Conti ransomware-driven national-emergency declaration. CCSS shut down critical systems including the Unified Digital Health File and Centralized Collection System; medical services across hospitals and clinics were disrupted for weeks. The compounding Conti + Hive impacts made Costa Rica a textbook case study in ransomware national-level disruption.
healthcarenational-emergencycosta-rica
Indicators of compromise
3 indicators| Type | Value | First seen | Source |
|---|---|---|---|
| Name | family · Hive Hive ransomware Windows 64-bit encryptor binary listed as a known IOC in Table 2 of AA22-321A. Hive shipped matching Linux, ESXi and FreeBSD variants and victimized over 1,300 organizations for ~$100M in payments before the FBI infiltrated its network in July 2022. | Nov 16, 2022 | CISA |
| Domain | family · Hive Hive affiliate staging server hosting a malicious HTA file used during intrusions, listed in Table 2 of AA22-321A. The .pw infrastructure cluster was seized alongside the Hive back-end on Jan. 26, 2023 in the DOJ/FBI takedown announcement. | Nov 16, 2022 | CISA |
| Name | family · Hive Hive ransom note dropped into every encrypted directory; instructs victims not to modify the *.key file in C:\ or /root and links to the HiveLeaks Tor chat panel. Listed in Table 2 of joint FBI/CISA/HHS advisory AA22-321A (Nov. 17, 2022). | Nov 16, 2022 | CISA |
Related actors
shared ATT&CK techniques- RU · Russia8Base4 shared techniques
- ?? · UnknownAkira4 shared techniques
- ?? · UnknownQilin4 shared techniques
- ?? · UnknownRansomHub4 shared techniques
- ?? · UnknownALPHV/BlackCat3 shared techniques
- RU · RussiaDarkSide3 shared techniques
References
cite this page
Threat Intel Tracker. (2026-05-19). Hive — actor profile. Retrieved from https://threatintel.local/actors/hive