A multinational law enforcement operation seized control of digital infrastructure used by the Hive ransomware-as-a-service (RaaS) criminal group at the end of January, cutting off its ability to extort its victims. After infiltrating the group’s network last summer, federal agents were able to identify targets and obtain decryption keys that prevented about 300 victims across the globe from paying $130 million worth of demanded extortion payments. In this first article of a two-part series, with insights from legal and cybersecurity experts, we discuss the history and tactics of Hive, the takedown and factors contributing to the decline in ransomware. Part two will offer measures to prevent these attacks and discuss the importance of coordination with law enforcement, including how it worked in this instance. See our two-part series on a ransomware tabletop’s 360-degree incident response view: “Days One to Four” (Jan. 4, 2022); and “Day Five Through Post-Mortem” (Jan. 11, 2023).