US Posts $10 Million Bounty for Info on Hive Ransomware Gang


February 8, 2024

World map

The United States has posted a bounty of up to $10 million for information leading to the identification of the Hive ransomware operation, according to the State Department.

"The Hive ransomware variant targeted victims in over 80 countries, including the United States," Reuters reports the State Department as announcing.  

"Beginning in late July 2022, the FBI penetrated Hive’s computer networks, obtained its decryption keys, and offered them to victims worldwide, preventing victims from having to pay up to $130 million in ransoms demanded."

Takeaway: In May of 2023, the U.S. government indicted and issued sanctions against a Russian national for his role in ransomware attacks against U.S. critical infrastructure targets including law enforcement agencies.

Mikhail Matveev had been identified as a key player in the development of the Hive, LockBit, and Babuk ransomware variants, as well as being connected to the Conti ransomware gang.  

While we have seen some arrests here and there of affiliates and other low-level threat actors in the ransomware space, Matveev was on another level, having been connected to some of the most prolific ransomware operations.  

The Hive story reflects the incestuous relationship between many of the leading ransomware threat actors. It’s literally the whack-a-mole scenario, where one group diminishes and the principles behind it simply reorganize, retool and launch a new RaaS platform.

In July of 2022, the FBI penetrated the Hive network and provided decryption keys to victims worldwide, which significantly diminished the effectiveness of Hive operations, but a new operation emerged soon after called Nokoyawa that is assessed to be the group’s successor.

Hive was widely believed to be affiliated with the notorious Conti ransomware group, along with a long list of other groups associated with former Conti operators, including Royal, Black Basta, and Quantum.

Hive had claimed more than 1,500 victims who were extorted for more than $100 million in ransom payments as of the end of 2022, according to the FBI, and was one of the most active of all observed attack groups that year.

The Play (aka PlayCrypt) RaaS operation also emerged in the summer of 2022 and is noted for having similarities to both Hive and Nokoyawa ransomware and for exploiting unpatched Fortinet SSL VPN vulnerabilities to gain initial access.

While Nokoyawa activity dropped off in latter 2023, Play continues to be one of the more aggressive operations with high-profile attacks on the City of Oakland, Argentina's Judiciary and German hotel chain H-Hotels, as well as exfiltrating data from Fedpol and the Federal Office for Customs and Border Security (FOCBS).

Another interesting nugget is the fact that when the FBI infiltrated and observed Hive operations for seven months, the Bureau came to the shocking conclusion that only about 20% of attacks were being reported to law enforcement. is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.