Hive: how the ransomware attack gang that extorted money from victims around the world worked

The takedown on Thursday of the attack network of ransomware Hive, which extorted some $100 million from more than 1,500 victims around the world, shows how hacking has become an ultra-efficient niche industry that can allow anyone to become a cyber artist.

The operation was carried out in coordination with the police forces of the United States, Germany and the Netherlands, as well as with Europol, said the director of the US federal police (FBI), Christopher Wray.

LOOK: Ransomware attacks are becoming less frequent: companies refuse to pay ransoms

modern business model

Hive operated under a modality that cyber security experts call “ransomware as a service”, or RaaS, which is when a company offers its software and methods to others to extort money from a target.

The model is central to the broader ransomware ecosystem, in which actors specialize in one skill or role, maximizing efficiency.

LOOK: Hackers attack children’s hospital with ransomware, but apologize for their mistake and ask to make amends

According to Ariel Ropek, director of cyber threat intelligence at cybersecurity firm Avertium, this structure makes it possible for, with a fluidity computing minimally, criminals get into the ransomware game by paying others for their expertise.

“There are quite a few of them,” Ropek said of RaaS operations. “It’s really a business model these days,” he added.

How does it work

On the so-called “darkweb”, the part of the internet that is not accessible by conventional browsers, ransomware and support service providers openly present their products.

At one extreme are front-end brokers, who specialize in accessing corporate or institutional computer systems, then selling that access to the hacker or ransomware operator.

LOOK: Cybercriminals do not need to know programming or computing, they download malware from Google

But the operator relies on RaaS developers like Hive, who have the programming skills to create the malware needed to carry out the operation and bypass countersecurity measures.

Typically, their programs –once inserted by the ransomware operator into the target’s IT systems– are manipulated to freeze, through encryption, the target’s files and data.

RaaS developers like Hive offer a full service to operators, in exchange for a good part of the ransom paid, Ropek said.

“Their goal is to make the ransomware operation as complete as possible.“, said.

LOOK: Why Cybercriminals Use RAR and ZIP Compressed Files to Transport Malware

polite but firm

When the ransomware is installed and activated, the target receives a message telling them what to do and how much to pay to decrypt their data.

That ransom can range from thousands to millions of dollars, depending on the financial strength of the target.

Inevitably, the target tries to negotiate at the portal, but often doesn’t get very far.

Cybersecurity firm Menlo Security published last year the conversation between a target and the “sales department” of Hive that took place in the special portal for victims.

LOOK: Cybercriminals are using Microsoft OneNote to distribute files with malware

In it, the Hive operator politely and professionally offered to test that the decryption would work with a test file.

But when the target offered a fraction of the demanded $200,000, Hive was adamant, insisting it could pay the full amount.

Eventually, Hive’s agent relented and offered a significant reduction. “The price is $50,000. It’s final. What else to say?“, wrote.

If a targeted organization refuses to pay, RaaS developers have a back: they threaten to post online or sell the hacked sensitive files.

LOOK: Cybercriminals “hijack” Amazon reviews to sell counterfeit products

Hive maintains a separate website, HiveLeaks, to publish the data.

According to Ropek, behind the business are specialized operations to collect the money, making sure that the participants get their share of the ransom.

modest hit

Thursday’s action against Hive was only a modest blow against the RaaS industry.

There are plenty of other ransomware specialists, similar to Hive, that are still up and running.

The biggest current threat is LockBit, which attacked the UK’s Royal Mail in early January and a Canadian children’s hospital in December.

LOOK: ChatGPT, the AI ​​that lets you talk to it, could be used by cybercriminals to steal data

In November, the US Justice Department said LockBit had obtained tens of millions of dollars in ransoms from 1,000 victims.

And it’s not hard for Hive operators to start anew. “It’s a relatively simple process of setting up new servers, generating new encryption keys. Usually there is some sort of rebrandingRopek said.

Source: Elcomercio

Callum

I have worked in the news industry for over 10 years. I have a vast amount of experience in writing and reporting. I have also worked as an author for a number of years, writing about technology and other topics.

I am a highly skilled and experienced journalist, with a keen eye for detail. I am also an excellent communicator, with superb writing skills. I am passionate about technology and its impact on our world. I am also very interested in current affairs and the latest news stories.

I am a hardworking and dedicated professional, who always strives to produce the best possible work. I am also a team player, who is always willing to help out others.