TI News Feed · Threat Intelligence Guides

Hive Ransomware: Threat Actor Profile

Hive was one of the most successful RaaS brands of 2021-2023, hitting 1,500+ victims for $100M+ before the FBI covertly infiltrated its infrastructure and disrupted it in a landmark 2023 takedown. A full profile.

Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.

Hive was one of the most operationally successful ransomware-as-a-service (RaaS) brands of the 2021–2023 period, especially against healthcare and other critical sectors. The DOJ said Hive targeted more than 1,500 victims in over 80 countries and received over $100 million in ransom payments before the FBI-led disruption in January 2023.

Hive: at a glance

  • Aliases: Hive ransomware group
  • Country / affiliation: Russian-speaking criminal ecosystem
  • Assessed status (as of July 2026): Inactive (disrupted 2023)
  • Primary objectives: RaaS extortion, especially against healthcare and critical sectors
  • Financial destruction / gain: >$100 million in ransom payments from more than 1,500 victims before the 2023 disruption
  • Type: ransomware-as-a-service (RaaS) (double extortion)

Who is Hive?

The operation also reportedly helped victims avoid about $130 million in additional payments once the FBI infiltrated it. Hive's importance in an all-time ranking comes less from innovation than from scale, speed, and the degree of harm inflicted on public-facing institutions. As a distinct brand, Hive is inactive.

Aliases and attribution

Hive ran a classic ransomware-as-a-service (RaaS) affiliate model within the Russian-speaking cybercrime ecosystem. Its defining moment was not a technical innovation but its takedown: the FBI covertly penetrated Hive's infrastructure for months, quietly distributing decryption keys to victims before seizing the operation — a landmark in proactive disruption over after-the-fact prosecution.

Financial impact and damage

The DOJ tied Hive to $100 million-plus in payments from 1,500+ victims across 80+ countries, with heavy targeting of hospitals and healthcare — attacks that directly endangered patient care. The FBI's covert infiltration reportedly saved victims around $130 million in ransoms by handing out decryptors. Hive remains a benchmark for both the harm ransomware inflicts on critical sectors and how law enforcement can fight back.

Hive timeline

  • 2021: Hive emerges as a RaaS brand
  • 2022: Healthcare and critical-sector targeting expands; CISA/FBI advisory issued
  • 2022: FBI begins covert infiltration, distributing decryption keys
  • 2023: DOJ/FBI disruption seizes Hive infrastructure

Notable attacks and campaigns

Hive's repeated attacks on hospitals drew intense scrutiny for endangering patient safety. The FBI's operation — infiltrating Hive from mid-2022, quietly providing decryptors, then dismantling it in January 2023 — is one of the most celebrated ransomware takedowns and a model for disrupting operations from the inside. CISA's Hive advisory documents its tradecraft.

Tactics, techniques, and procedures (TTPs)

The techniques below are compact, high-confidence mappings to the MITRE ATT&CK framework, drawn from the group's MITRE ATT&CK profile and corroborating government and vendor reporting. The live ATT&CK matrix remains the authoritative reference for full coverage.

  • T1566 / initial access — Phishing and exposed services: CISA said Hive targeted broad sectors through common enterprise entry paths. Enforce MFA, patch exposed services, and segment healthcare operations.
  • T1003 / credential theft — Credential capture and admin escalation: Hive depended on privileged stolen access. Monitor LSASS access, privilege anomalies, and new remote-admin sessions.
  • T1486 / T1490 — Data Encrypted for Impact / Inhibit Recovery: Hive encrypted at scale and deleted backups. Alert on large-scale encryption bursts and recovery-control tampering.

Detection and defense against Hive

Hive relied on stolen credentials and exposed services, so foundational hygiene stops most of its playbook:

  • Enforce MFA and patch internet-exposed services (RDP, VPNs) aggressively.
  • Segment healthcare and critical operations from general IT networks.
  • Monitor LSASS access, privilege anomalies, and new remote-admin sessions.
  • Protect backup domains and alert on recovery-control tampering.
  • Report incidents early — the FBI's Hive operation shows law enforcement can provide decryptors.

The bottom line

Hive was a top-tier ransomware brand brought down not by arrests alone but by the FBI hacking the hackers — a landmark case for disrupting ransomware from the inside. See how Hive ranks among the most dangerous threat actors, and track its latest activity on our live threat intelligence feed, aggregated from dozens of authoritative sources.

Frequently asked questions

What is Hive ransomware?

Hive was a Russian-speaking ransomware-as-a-service operation active from 2021 to 2023, notorious for attacking hospitals and critical sectors, before being disrupted by an FBI-led operation.

How was Hive taken down?

The FBI covertly infiltrated Hive's infrastructure from mid-2022, quietly distributing decryption keys to more than 1,300 victims before seizing the operation's servers in January 2023.

How much did Hive make?

The DOJ said Hive received more than $100 million in ransom payments from over 1,500 victims across 80+ countries.

Is Hive still active?

No. Hive was disrupted in January 2023 and is inactive as a distinct operation, though former affiliates may have moved to other ransomware brands.

Primary sources & further reading

This guide is reviewed and fact-checked against authoritative primary sources: