Hive Ransomware: A Detailed Analysis

This past week, on January 26th, to be exact, the FBI successfully shut down the Hive ransomware group and saved victims over a hundred million dollars in ransom payments and remediation costs. As ransomware continues to be a national security threat and ransomware gangs like BlackMatter, REvil, and DarkSide are constantly evolving, developing new tools, and changing tactics, we thought we'd give you a quick overview of Hive ransomware, including who they are, what they are, who they target, and more. First discovered in June 2021, Hive is an affiliate-based ransomware that cybercriminals use to target healthcare facilities, nonprofits, retailers, energy providers, and other sectors worldwide. This Ransomware-as-a-Service model enables affiliates to utilize Hive as they see fit. The operator of Hive uses common ransomware tactics, techniques, and procedures to compromise victims' devices, exfiltrate sensitive data, and encrypt business files. In addition to phishing emails containing malicious attachments, leaked VPN credentials, and exploiting vulnerabilities on external assets, their affiliates compromise their victims' networks. Hive places a plain-text ransom note that threatens the victim's data to be published on the TOR website 'HiveLeaks' unless they meet the attacker's demands. The Hive ransomware group is thought to be a Russian organization. Some of its affiliates are said to have migrated to Hive around May 2022, as the Conti group shut down its attack infrastructure. The belief stems from the fact that Conti and Hive have simultaneously leaked the same victims on both of their leak sites, such as the attack on Costa Rican government infrastructures. According to the Hive TOR leak site, Hive Ransomware has targeted institutes from more than 20 countries since its emergence, from the far west, the USA, to the far east, Japan. Now let's take a closer look at how Hive ransomware operates and what tactics they use. According to the FBI, the Hive ransomware gang uses a variety of TTPs for their attacks. Early versions of Hive variants were developed in GoLang. Hive ransomware encrypts critical files, then distributes two malicious scripts for cleanup. When compromising a victim network, Hive ransomware actors leak data and encrypt files on the web. Hive uses spear-phishing emails with attachments to access the victim's network. Hive terminates backups, restores, anti-virus, antispyware, and file copies to avoid anti-malware. When Hive encrypts files and saves them with a.hive extension, it creates batch files called hive. Hive's executable, disc backup copies, snapshots, and batch files. Lastly, a ransom note is dropped by Hive into each affected directory. Hive actors communicate the ransom amount and payment deadline to victim organizations via live chat. The Hive actors negotiate ransom demands in U.S. dollars, with initial amounts ranging from several thousand dollars to millions. Networks of victim organizations that have restored their networks without paying a ransom have been reinfected with Hive ransomware or another ransomware variant by Hive actors. Cybersecurity researchers analyzed Hive Ransomware v5 in Rust, which uses string encryption to make it more mysterious. An attacker can encrypt files only on remote shares or local files or set a minimum file size for encryption. In the Rust variant of Hive Ransomware, attackers must first know the parameters. Hive has a TOR leak site where victims can share countdowns. As an aside, according to research conducted at the end of 2021, Hive targets three organizations on average per day. The study also discovered that Hive compromised 355 organizations, with only 55 victims sharing information on their TOR leak site. Nearly 30 countries have been affected by Hive Ransomware attacks from its TOR leak site. With 93 attacks, the United States accounts for nearly half of all Hive Ransomware attacks. Four industries stand out above the rest when we look at the statistics for the industries in terms of Hive Ransomware attacks. Healthcare 12,6%; Manufacturing 14,2%; Information Technology 8,9%; Education 7,9%; Construction 7,4%; Real Estate 3,2%. To avoid causing harm to people, some ransomware groups operating as RaaS claim to avoid targeting institutes such as healthcare. LockBit apologized for its latest attack on a healthcare institute and severed ties with the responsible affiliate. Hive's attacks on healthcare providers demonstrate that the organization's operators have no moral incentive to avoid attacking such organizations. Given how Hive Ransomware operates, organizations of all sizes should be aware of its existence and take appropriate precautions. As with most ransomware attacks, Heimdal® provides its customers with an exceptional integrated cybersecurity suite, including Ransomware Encryption Protection, which is universally compatible with any antivirus solution and 100% signature-free, ensuring superior detection and remediation of all types of ransomware. You can avoid ransomware by doing a few simple things. Feel free to read our articles on preventing and mitigating ransomware attacks to expand your knowledge of ransomware protection.

This Cyber News was published on heimdalsecurity.com. Publication date: Wed, 01 Feb 2023 13:01:03 +0000