The US has revealed it infiltrated a prolific cyber-crime gang to secretly sabotage their hacking attacks for more than six months.
The Department of Justice (DOJ) revealed the FBI gained deep access to the Hive ransomware group in late July 2022.
Officers were able to warn victims of impending attacks.
They also gave more than 300 decryption keys to those hacked, saving them, they estimate, more than $130m (£105m).
Ransomware gangs use malicious software that encrypts victims’ files, locking them up and making them inaccessible unless a ransom is paid to obtain a decryption key.
The US estimates Hive and its affiliates collected over $100m (£81m) from more than 1,500 victims, including hospitals, school districts, financial companies and critical infrastructure, in more than 80 countries around the world. One hospital was left unable to accept new patients.
The US said it had taken down Hive’s websites and communication networks, working with other national police forces including in Germany and the Netherlands.
Attorney General Merrick Garland said: “Last night, the Justice Department dismantled an international ransomware network responsible for extorting and attempting to extort hundreds of millions of dollars from victims in the United States and around the world.”
Deputy Attorney General Lisa O Monaco said: “Simply put, using lawful means, we hacked the hackers.”
The DOJ said it would pursue those behind Hive until they were brought to justice.
“A good covert operation can degrade confidence in operational security and inject suspicion among actors,” Mandiant Threat Intelligence head John Hultquist said.
But he added: “Until the group is arrested, they will never truly be gone. They will have to reconstitute, which takes time, but I’ll bet they reappear in time.”
Researchers and cyber authorities have long accused Russia of harbouring ransomware groups.
In November 2021, alleged members of the REvil gang were arrested around the world, with US authorities retrieving more than $6m in cryptocurrency in a “claw back” hacking operation.
A similar operation by the US, in June 2021, took the Darkside gang offline and recovered $4.1m in stolen funds.
And in January of the same year, the ransomware group NetWalker’s darknet websites were also taken offline and a key affiliate arrested in Canada.
In all three cases, the hacking groups largely disbanded but are thought to have re-formed into other collectives.
The latest action comes as research suggests ransomware crews saw a 40% drop in earnings, as victims in 2022 are refusing to pay.
“We expect initiatives like this to only grow stronger between allied cyber-powers, to ensure that governments, organisations, and citizens will be better protected,” Nominet government cyber-services expert Kim Wiles said.