The Justice Department announced Thursday that it has dismantled the international ransomware network known as the Hive.

During a news conference, Attorney General Merrick Garland said FBI agents in Tampa, Florida, infiltrated Hive’s network last summer and, while still undetected, provided system decryption keys to more than 300 victims around the world, preventing at least $130 million in ransom payments. 

“Simply put, using lawful means, we hacked the hackers,” Deputy Attorney General Lisa Monaco said. “We turned the tables on Hive, and we busted their business model.”

The FBI continued to investigate and later located Hive’s computer servers located in Los Angeles, Garland said. On Wednesday night, after receiving court orders, agents seized the servers and took control of Hive’s sites on the darknet.

On Thursday morning, a message on Hive’s website read, “The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Hive Ransomware.” The message included the logos of the Justice Department, FBI, Secret Service, Europol, and the German and Dutch law enforcement agencies, all of which partnered in the operation.

“Cybercrime is a constantly evolving threat,” Garland said. “But as I have said before, the Justice Department will spare no resource to identify and bring to justice anyone anywhere who targets the United States with a ransomware attack.”

Officials did not announce any arrests. FBI Director Chirstopher Wray said the announcement “is only the beginning.”

“We're going to continue gathering evidence, building out our map of Hive developers, administrators and affiliates, and using that knowledge to drive arrests, seizures and other operations, whether by the FBI or our other partners here and abroad,” he said.

Ransomware is a type of malicious code that encrypts computer files, making them unusable until a large payment is made — usually using cryptocurrency. 

Garland said Hive affiliates “employed a double extortion model” that also stole sensitive data from systems before locking victims out. In exchange for payments, the cybercriminals would provide a decryption key and promise not to publish any stolen data, the attorney general said.

The network, which the FBI has labeled a top-five ransomware threat, targeted more than 1,500 victims around the world since July 2021, authorities said. The victims included operators of critical infrastructure as well as key industries, including hospitals and schools. In one instance in August 2021, a ransomware attack on a Midwest hospital crippled its computer systems, preventing it from accepting new patients “at a time when COVID-19 was surging in communities around the world,” Garland said.

Wray described another incident in which FBI agents identified the initial stages of an attack against a university and then provided the school with information necessary to thwart the attack.

The action is "a reminder to cybercriminals, no matter where you are and no matter how much you can tort and try to twist and turn to cover your tracks, your infrastructure, your criminal associates, your money and your liberty are at risk, and there will be consequences," Wray said.

Authorities said the takedown underscores why ransomware victims should contact the authorities. Wray said only about 20% of Hive’s victims reported potential issues to law enforcement. 

“Our actions in this investigation should speak clearly to those victims,” Monaco said. “It pays to come forward and to work with us.”

According to Chainanalysis, a blockchain data firm, ransomware attackers extorted at least $456.8 million from victims last year, down from $765.6 million in 2021. The company believes much of the decline is related to fewer victims paying the ransoms, and not a result of fewer attacks.