13
26. The FBI confirmed the database on Target Server 2 was
the Hive database because since July 2022, the FBI has, pursuant
to federal search warrants, accessed the Hive database to
identify victims and obtain decryption keys. When a victim is
encrypted, the Hive ransomware creates a unique decryption key
for that victim. Over the course of the investigation, the FBI
obtained such decryption keys and distributed them to victims
around the world. Victims receiving the keys confirmed they had
been infected with Hive ransomware and that they were able to
unlock their files using the decryption keys. As part of the
decryption key operation, over the last six months, the FBI was
able to provide decryption keys to 336 victims, sometimes within
hours of encryption, saving victims approximately $130 million
in ransom payments.
27. In addition to decryption keys, when the FBI examined
the database found on Target Server 2, the FBI found records of
Hive communications, malware file hash values,
4
information on
Hive’s 250 affiliates, and victim information consistent with
the information it had previously obtained through the
4
A file hash value can be thought of as the
“fingerprint” of a file. The contents of the file are processed
by a cryptographic algorithm and the result is a unique numeric
value (often represented in hexadecimal format). Some of the
more common cryptographic algorithms used to obtain the hash
value are MD5, SHA1, and SHA256. The contents of the file
directly affect the file hash value so much so that even just
adding or taking away a random ‘space’ or comma would result in
a completely different file hash value. In some instances where
a victim was not yet encrypted, the FBI was able to retrieve and
use the malware hash to help a victim remove Hive ransomware
from the system before encryption could take place.
Case 2:23-mj-00281-DUTY *SEALED* Document 1 *SEALED* Filed 01/23/23 Page 22 of 24
Page ID #:22