Ep.
67: Hive’s WeWork experiment — and why it went wrong
DINA TEMPLE-RASTON: What does the perfect workspace look like for a hacker? A kind of
office utopia for the cybercriminal underworld. Would it take a cue from one of those Google
offices people are always talking about? You know, hammocks everywhere, beer on tap,
gaming rooms and lots of cafeterias — a cavernous place for mingling, sharing of ideas and
maybe even give birth to an unexpected project. A sort of WeWork space on steroids. In
2021, a hacking group called Hive decided to turn this dream into a reality.
[MUSIC]
YELISEY BOHUSLAVSKIY: They turned their operation into the cybercrime WeWork. Like,
colleagues in crime that all exist in this same umbrella space of Hive.
TEMPLE-RASTON: This is Yelisey Bohuslavskiy. He goes by Eli. And he knows a lot about Hive
because he secretly spent months lurking in their virtual corridors. He’s a security
researcher who does this a lot, and what he saw inside Hive actually surprised him. He could
see elite cybercriminals just hanging out, bouncing ideas off each other. They seemed to be
actually professionalizing ransomware
BOHUSLAVSKIY: They were hosting this space with a dashboard, with chats, with
communications, with negotiations handled by only a few people. And collectives from
different groups were coming to Hive, not of their direct subordinates, but rather, like,
colleagues in crime.
TEMPLE-RASTON: They wanted to create a more efficient supply chain, to use a rotating cast
of hackers with specialized skills who could then come together for some epic attack. You’re
good at breaking into a network? You go first. Then pass it along to Vladimir who is great at
data encryption. Alexi will negotiate the ransom payment, and then, at the end of the line,
voila…
[CASH REGISTER NOISE]
TEMPLE-RASTON: You have yourself a very successful ransomware attack.
[THEME MUSIC]
1
�TEMPLE-RASTON: And since what appears to motivate hackers most is cold hard cash, the
enticement to join was that a team of elite hackers would end up making much more
money in much less time than any one person or group could individually. So maybe a
hacker utopia doesn’t look exactly like a Google office — no hammocks at the Hive. Maybe
their utopia looked more like a bank vault. A bank vault full of money.
[COINS FALLING]
[THEME MUSIC]
TEMPLE-RASTON: I’m Dina Temple-Raston, and this is Click Here, a podcast about all things
cyber and intelligence. Today, we take stock of a failed utopia. We’ll learn how Hive operated
and why its members were so optimistic and clung so zealously to their vision of a hacker
ideal. And why like so many utopias before it, it led to their undoing.
MIKE MCPHERSON: there're humans behind this, right? And whether they're bank robbers
or terrorists or cyber criminals, they're humans. And humans make mistakes.
TEMPLE-RASTON: Stay with us.
[BREAK]
TEMPLE-RASTON: Eli Bohuslavskiy and one of his colleagues slipped into Hive’s workspace
and logged into its dashboard back in 2021.
BOHUSLAVSKIY: My team and I were able to get to their first panel. And since then [we’ve]
been advancing through their infrastructure — very slowly, though.
TEMPLE-RASTON: Everything they wanted to know was encapsulated in a very easy point
and click blue and orange screen: the panel. It included a friendly news feed, a chatroom, a
help desk, a running list of potential targets, who has paid, who hasn’t, private virtual
conference rooms. Hive wanted everyone who worked with them to feel like they were part
of something bigger, to feel utterly at home inside the Hive, right down to the language
that welcomed them when they signed on.
BOHUSLAVSKIY: It had two versions, actually. One was English. The other one was in
Russian, of course.
2
�TEMPLE-RASTON: A lot of ransomware gangs are Russian-speaking. The Hive administrators
seemed to put a lot of thought into how they laid it all out. They even had a logo.
BOHUSLAVSKIY: Hive had a very clear brand branding. This, like, beehive kind of stylistics. It
was yellow with the hexagons. Quite, quite remarkable.
TEMPLE-RASTON: And maybe more remarkable, they weren’t just concerned with their
members’ experience. If you were one of Hive’s more than 1500 ransomware victims, they
wanted to make your user experience pleasant as well.
BOHUSLAVSKIY: They were simple to use. Very straightforward.
TEMPLE-RASTON: If they locked up your system, the ransom note included a very helpful
username and password. Type that into your computer, and it takes you to a screen where
you can just click on a button for a live chat with the attackers. There’s a file upload system,
and if you’ve decided to succumb to their ransom demand, there’s a link to Hive’s
decryption software.
“Congratulations,” it reads. “You’ve made the right choice. “Please feel free to contact us if
you need any further information.
[MUSIC]
TEMPLE-RASTON: And for a while, that little kernel of an idea they had about an elite crew
taking the world by storm seemed to be really working. And for a couple of years, in 2021
and 2022, nearly every week seemed to bring news of a fresh Hive attack.
LOCAL NEWS: A Hacking group known as Hive claims to have stolen personal information
from Norman Public Schools.
CBS: From schools, hospitals and financial firms, the DOJ has said Hive has targeted more
than 1500 entities in more than 80 countries.
TEMPLE-RASTON: COVID was raging at the time, so they took advantage of the chaos and
started zeroing in on healthcare facilities. Their business calculation? The world’s
over-stretched hospitals would be more likely to just pay a ransom — no questions asked —
so they could concentrate on the pandemic. And Hive was right.
3
�LOCAL NEWS: The head of Memorial Health system admits the attack could not have come
at a worse time…
CBS: At least five US hospitals were reportedly hit with ransomware attacks last week, and
that hacking could hurt patient care just as nationwide cases of COVID-19 are spiking…
[MUSIC]
TEMPLE-RASTON: But there were some things they miscalculated. For example, Hive figured
that if they shared their virtual co-working space with elite hackers, they’d avoid all the
problems you run into when you share your locker, or ransomware – with any ol’ hacker.
BOHUSLAVSKIY: So instead of giving, you know, the access to the locker to some random
guy in Belarus, they would give it to a collective that has been working together for years.
TEMPLE-RASTON: But what was also true was anytime you bring that many people together
for a job, things happen. They forgot to factor in an underlying truism in the hacker world –
that this was a group of mostly men who were very good at extorting money and not so
great at assessing people. And that’s next.
[MUSIC]
TEMPLE-RASTON: Stay with us.
[BREAK]
TEMPLE-RASTON: By 2022, Hive had raked in some $100 million in ransom payments.
[MUSIC]
TEMPLE-RASTON: And while they were right about what a skilled hacking team could
accomplish, they hadn’t factored in what happens when you put those elite hackers in a
virtual room together. Ego clashed, so it wasn’t too surprising that some group would
decide that they should be in charge instead of Hive. And that’s what happened when they
4
�started working with a crew called Conti, one of the most professional and active
ransomware organizations on the planet.
YOUTUBER: Conti ransomware gang has become notorious…
NEWS: There’s been some developments around the Conti ransomware group…
TEMPLE-RASTON: They had salaried employees, vacation policies, HR. So bringing these two
massive hacker collectives together was quite an undertaking. Think of it as Wendy’s joining
forces with Burger King.
BURGER KING COMMERCIAL: Burger King! Yay!
[MUSIC]
TEMPLE-RASTON: And at first, they played nicely together. And to belabor the metaphor,
they essentially agreed to serve both Whoppers and Dave's Triple. Customers could have
both shakes and Frosties. And they deployed people in a way that focused on their
strengths, not on their affiliation to any one group. But then, sometime in very early 2022…
BOHUSLAVSKIY: We could kind of say that Conti consumed Hive, which is very typical for
Conti. [They] really like very, very hostile adversarial acquisition of the ransomware space…
TEMPLE-RASTON: [Laughs] Hostile takeover.
BOHUSLAVSKIY: Yes. Hostile takeover. Conti was very known for that. And they’re still doing
that. It’s definitely a part of their MO
[MUSIC]
TEMPLE-RASTON: Eli could see all this. He could see that Hive administrators were still
controlling their dashboard, but the Conti crew seemed to be using Hive’s ransomware —
and, according to Eli, didn’t appear to be not paying Hive for it. Typically groups that rent
out their ransomware get a cut of the ransoms collected. As you can imagine, Hive was not
happy about Conti making itself this much at home.
BOHUSLAVSKIY: It was clear they had a lot of clashes with the leadership of Hive. You know,
the relationship was tense after the takeover.
5
�TEMPLE-RASTON: Rumors started flying.
BOHUSLAVSKIY: And they were actually suggesting that the leader of Hive was working with
the FBI, kind of like sabotaging the entire thing.
TEMPLE-RASTON: Turns out they weren’t totally wrong about the FBI being around, but
we’ll get to that in a minute. What’s important to know now is that the Hive-Conti power
struggle kind of resolved itself in the most unexpected way.
[MUSIC]
[BOMBS AND SIRENS]
NEWS: Overnight, the lives of millions of people in Ukraine changed forever…
TEMPLE-RASTON: The Russian invasion of Ukraine. Conti took a side in the war, and they
sided with Moscow. It soon came out that they appeared to have really close ties to the
Kremlin, which, to put it mildly, made Conti very unpopular. Suddenly people just refused to
do business with them
BOHUSLAVSKIY: A lot of companies just stopped paying them ransoms.
TEMPLE-RASTON: Which is an existential problem if you’re a ransomware gang. And the way
Conti got around that? Well, they found a partner, someone who agreed to route their
payments. Someone they’d already been working with: Hive. It appears Conti went back to
Hive’s leaders and said, I imagine, We’ve got a ton of unfinished ransomware business out there.
Mind if we just divert it to you?
BOHUSLAVSKIY: We started to see a lot of former Conti victims being dumped on Hive’s
website in order to force those victims to pay.
TEMPLE-RASTON: It was hard to know where Hive ended and Conti began. But most cyber
security analysts say that Conti had gotten the better of Hive, taking it over from the inside.
But that wasn’t what took Hive down. What spelled its demise had nothing to do with power
struggles or clashing egos. It was a rookie mistake: When they brought all those famous
hackers together, it got them noticed — not just by people like Eli who were able to sneak
6
�into their systems, but people with blue windbreakers, with three letters on the back.
People like Mike McPherson of the FBI.
MIKE: McPHERSON: The way the FBI does it is, whatever the first office that comes across a
new strain of ransomware, a new type of ransomware, that office will effectively own that
investigation…
TEMPLE-RASTON: Mike was the Special Agent in Charge of the FBI’s Tampa office. And he
was part of a law enforcement crew that started undermining Hive from the inside. They
had slipped into their network and could see what Hive was up to.
MCPHERSON: We’re able to see who the victims were. As we can go to the victim and say,
You have a problem on your network, and we can tell them what to go look for.
TEMPLE-RASTON: They’d have their cybersecurity officers look and push Hive out of their
networks before Hive even had a chance to lock them up. So they prevented those attacks.
For anyone already in the throes of ransomware negotiations with the group, the FBI had a
solution for that, too. Since it had access to Hive’s panel, they could see the full list of
victims. So they just worked their way down the list and actually generated decryption keys
for hundreds of them.
BRYAN SMITH: Each victim has a unique decryptor for them.
TEMPLE-RASTON: This is Bryan Smith. He’s in charge of the FBI’s Cyber Crimes Unit.
SMITH: And in Hive, what we were able to do was actually generate the decryptor for that
particular victim and then provide it to them if they wanted.
TEMPLE-RASTON: So you didn't pull it out of Hive?
SMITH: Correct. We created it.
TEMPLE-RASTON: Wow.
[MUSIC]
7
�TEMPLE-RASTON: So, one by one, the FBI created keys, sent them to Hive’s victims or
authorities in other countries, and then after getting the FBI’s decryption key, victims would
mysteriously tell Hive to, well, buzz off — we’re not giving you any money. Which meant that
the ransoms that kept Hive’s operation humming started to dry up.
SMITH: We recognized that this was a unique opportunity that we had in order to make
victims whole. And prevent payments by them at scale.
TEMPLE-RASTON: According to FBI and DOJ estimates, the operation ended up thwarting
more than $130 million in ransom payments. And then, in January, the FBI went in and took
the whole operation down.
MERRICK GARLAND: We are here to announce that last night the Justice Department
dismantled an international ransomware network known as the Hive ransomware group…
TEMPLE-RASTON: This is Attorney General Merrick Garland announcing that the authorities
had broken into the group’s servers, dismantled its infrastructure, and, well, ended them.
Hive’s utopian pretensions ran headlong into earthly realities. And you’d think the Hive
members would be upset — vowing revenge, shaking fists in the air. But they had a very
different reaction.
BOHUSLAVSKIY: Overall the median reaction was positive. They actually reacted to that with
joy, which was really surprising to me.
TEMPLE-RASTON: There had been so much in fighting, the breakup came as something of a
relief. Hive had wrapped itself in the gauzy rhetoric of some sort of hacker utopia. But Eli
said even though it failed, it wasn’t an empty exercise.
BOHUSLAVSKIY: There was the general cybercrime community that kind of said, This is a
lesson to us and this is a reminder to be more careful. So there was some positivity here.
TEMPLE-RASTON: After all, while the online community was taken down, no Hive
administrators were arrested. The admins are believed to be in Russia, so the FBI couldn’t
get to them. So instead, it seems everyone involved walked away a little wiser.
TEMPLE-RASTON: Is Hive dead?
BOHUSLAVSKIY: Hive as a brand is dead. That being said, today, ransomware is centered
around skill rather than branding. So I could imagine the top employees, the top operatives
of Hive, they would keep operating.
8
�TEMPLE-RASTON: And keep tinkering with this ransomware business model until they get it
right.
[MUSIC]
This is Click Here.
[HEADLINES MUSIC]
TEMPLE-RASTON: Here are some of the top cyber and intelligence stories of the past week.
Researchers on Cisco’s Talos threat intelligence team warned this week that rookie hackers
have been incorporating some of the most advanced features in their cyberattacks thanks
to a new tool: phishing-as-a-service.
Just like the ransomware and access as a service operations that have grown up before it…
phishing as a service operations like one called “Greatness” are behind some of the spikes
in cyber attacks. They said GREATNESS has “almost exclusively” been used to target
companies, rather than government organizations.
Microsoft on Tuesday released a new fix for a vulnerability that Ukrainian cybersecurity
officials spotted in its Outlook email service. Microsoft Threat Intelligence said that a
Russia-based threat actor used the exploit in targeted attacks against a limited number of
organizations in government, transportation, energy, and military sectors in Europe. The
vulnerability was patched last March, but attackers found a way around it. Now apparently
that has been fixed.
Hackers infiltrated networks of at least two colleges this month, disrupting the
school year just before final exams and commencement ceremonies. The attacks
targeted Tennessee’s Chattanooga State Community College and Mercer University.
While no one has taken responsibility for the attacks. Chattanooga had to shut down its
systems over the weekend. Mercer University said some sensitive student, parent, and
employee information was stolen, but no personal financial data was affected.
