Pierluigi Paganini December 14, 2023

French police arrested a Russian national who is suspected of laundering money resulting from the criminal activity of the Hive ransomware gang.

The French authorities arrested in Paris a Russian national who is suspected of laundering criminal proceeds for the Hive ransomware gang.

“A Russian, suspected of having recovered in cryptocurrencies the money taken from French victims of the powerful Hive ransomware , dismantled in January, was arrested last week, AFP learned on Tuesday December 12 from the judicial police.” reported AFP.  “The suspect, ” aged around forty and who resided in Cyprus “, was arrested on December 5 while he was in Paris, said Christophe Durand, head of the cyber-investigations unit of the brand new Office. anti-cybercrime (Ofac).”

The police seized more than 570,000 euros worth of cryptocurrency during the search of his Cypriot home. The international operation was conducted with the cooperation of Europol and Eurojust. 

The threat actors behind the Hive RaaS have extorted $100 million in ransom payments from over 1,300 companies worldwide as of November 2022, reported the U.S. cybersecurity and intelligence authorities.

As of November 2022, Hive ransomware actors have victimized over 1,300 companies worldwide, receiving approximately US$100 million in ransom payments” reads the alert published by CISA in November.

The authorities reported that from June 2021 through at least November 2022, threat actors targeted a wide range of businesses and critical infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health (HPH).

The Hive ransomware operation has been active since June 2021, it provides Ransomware-as-a-Service Hive and adopts a double-extortion model threatening to publish data stolen from the victims on their leak site (HiveLeaks). In April 2021, the Federal Bureau of Investigation (FBI) released a flash alert on the Hive operation attacks that included technical details and indicators of compromise associated with the operations of the gang. According to a report published by blockchain analytics company Chainalysis, the Hive operation is one of the top 10 ransomware strains by revenue in 2021. The group used various attack methods, including malspam campaigns, vulnerable RDP servers, and compromised VPN credentials.

The Hive operation was dismantled in January 2023 by the FBI, in coordination with German and Dutch police forces, as well as Europol. The ransomware gang breached sixty organizations in France, including the companies Altice or Damart, the National School of Civil Aviation (Enac), the departmental council of Seine-Maritime, the town hall of Annecy or the community of Guadeloupe, reported Le Figarò.

The Tor leak site used by Hive operators has been seized as part of an international operation conducted by law enforcement in 10 countries.

“The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Hive Ransomware.” reads the message displayed in English and Russian on the Hive ransomware website.

After international authorities seized the Hive gang’s infrastructure, a new ransomware group named Hunters International emerged in the threat landscape.

Hunters International is suspected to be a sort of rebrand of the Hive ransomware gang.

Experts noticed that the Hunters International group is using a code that is very similar to the one used by the Hive gang.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Hive)