US Offers $10 Million Bounty for Information Leading to Arrest of Hive Ransomware Leaders

Hive Ransomware

The US State Department has Office has partnered cash rewards of up to $10 million for information about individuals holding key positions within the Hive ransomware operation.

It also provides an additional $5 million for specifics that may lead to the arrest and/or conviction of any person “conspiring to engage in or attempting to engage in Hive ransomware activity.”

The multi-million-dollar rewards come a little over a year after a coordinated law enforcement effort secretly infiltrated and dismantled the darknet infrastructure associated with Hive ransomware-as-a-service ( RaaS) gang. One person who is suspected of having links to the group is arrested in Paris in December 2023.

The hive, which emerged in mid-2021, targeted more than 1,500 victims in more than 80 countries, earning about $100 million in illegal profits. In November 2023, Bitdefender revealed that a new ransomware group called Hunters International had obtained the source code and infrastructure from Hive to start its own efforts.

There is some evidence to suggest that threat actors associated with Hunters International are likely to be based in Nigeria, particularly an individual named Olowo Kehinde, per INFORMATION compiled by Netenrich security researcher Rakesh Krishnanalthough it can also be a fake persona adopted by actors to cover their true origins.

Blockchain analytics firm Chainalysis, in its 2023 review published last week, estimated that ransomware crews took $1.1 billion in extorted cryptocurrency payments from victims last year, compared to $567 million in 2022 , all but confirmed that ransomware returned in 2023 after a relative fall. in 2022.

“2023 marks a big return for ransomware, with record-breaking payouts and a huge increase in the range and complexity of attacks – a significant change from the decline observed in 2022,” it SAYS.


The decrease in ransomware activity in 2022 is considered a statistical aberration, with the decline due to the Russo-Ukrainian war and the disruption of Hive. In addition, the total number of victims posted on data leak sites in 2023 was 4,496, up from 3,048 in 2021 and 2,670 in 2022.

Palo Alto Networks Unit 42, in its own analysis of ransomware gangs’ public lists of victims on dark web sites, names manufacturing as the most affected industry vertical in 2023, followed by profession and legal services, high technology, retail, construction, and health care sectors.

While the law enforcement action prevented approximately $130 million in Hive ransom payments, it said the removal also “likely affected the broader activities of Hive’s affiliates, potentially reducing the number of additional attacks they can make.” In total, the effort may have avoided at least $210.4 million in compensation.

Adding to the increase in the regularity, scope, and number of attacks, last year also witnessed an influx of new entrants and branches, a sign that the ransomware ecosystem is attracting a steady stream of new players attracted by the prospect of high profits and low barriers to entry.

Cyber ​​insurance provider Corvus says that the number of active ransomware gangs registered a “significant” 34% increase between Q1 and Q4 2023, growing from 35 to 47 due to and rebranding or other actors who obtain the leaked encryptors. Twenty-five new ransomware groups emerged in 2023.

“The frequency of rebranding, especially by the actors behind the biggest and most famous strains, is an important reminder that the ransomware ecosystem is much smaller than the large number of strains would indicate,” said Chainalysis.

Apart from a notable shift to big game hunting, which refers to the tactic of targeting large companies to obtain large ransoms, ransom payments continue to be channeled through cross-chain bridges, instant exchangers , and gambling services, showing that e-crime groups are slowly moving away from centralized exchange and mixers to find new ways for money laundering.

Leaders of Hive Ransomware

In November 2023, the US Treasury Department imposed sanctions against Sinbad, a virtual currency mixer used by the North Korea-linked Lazarus Group to launder ill-gotten gains. Some of the other sanctioned mixers include Blender, Tornado Cash, and ChipMixer.

The pivot to big game hunting is also a result of companies increasingly refusing to settle, as the number of victims choosing to pay fell to a new low of 29% in the last quarter of 2023 , according to data from Coveware.

“Another factor contributing to higher ransomware numbers in 2023 is a major shift in the use of vulnerabilities by threat actors,” Corvus SAYSwhich promotes Cl0p’s BENEFITING of Fortra GoAnywhere and Progress MOVEit Transfer errors.


“If malware, such as infostealers, provides a constant trickle of new ransomware victims, then a major vulnerability is like turning off a faucet. With some vulnerabilities, the relatively easy access to thousands of victims can happen in one night.”

Cybersecurity company Recorded Future revealed that the weaponization of security vulnerabilities by ransomware groups falls into two clear categories: vulnerabilities that are exploited only by one or two groups and those that are widely exploited by multiple threat actors.

“Magniber is uniquely focused on Microsoft’s vulnerabilities, with half of its unique exploits focused on the Windows Smart Screen,” it THE audience. “Cl0p has unique and poorly focused file transfer software from Accelion, SolarWinds, and MOVEit. ALPHV is uniquely focused on data backup software from Veritas and Veeam. REvil is uniquely focused on server software from Oracle, Atlassian, and Kaseya.”

Leaders of Hive Ransomware

The continued adaptation observed by cybercrime crews is also evidenced by the increase in DarkGate and PikaBot infections following the removal of the QakBot malware network, which is the preferred initial entry point into target networks for ransomware deployment.

“Ransomware groups like Cl0p use zero-day exploits against newly discovered critical vulnerabilities, which represent a complex challenge for potential victims,” ​​Unit 42 SAYS.

“While ransomware leak site data can provide valuable insight into the threat landscape, this data may not accurately reflect the full impact of a vulnerability. the impact of zero-day exploits.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment