Discerning trends in ransomware has never been easy, but every now and again something jumps out from the confusion of events that points clearly at trouble ahead.
A good current example is the steady rise of the Hive ransomware group, first reported around mid-2021. Since then, there has been a steady stream of attacks attributed to it, most recently against French telecom company Altice.
Undoubtedly there have been others, so many in fact that security company Group-IB estimated that by October last year alone Hive affiliated groups had compromised at least 355 organizations across the world.
When mentioning ransomware groups, it’s easy to become desensitized to their significance in an industry where names come and go all the time.
Hive looks different, for reasons to do with the remarkable ransomware-as-a-service (RaaS) platform its programmers have built to offer attack services to paying affiliates.
It’s often said that well-implemented RaaS is a threat because it makes it easier for non-programmer criminals to rent ransomware capability. This is true, but this approach also has important technical effects that predict the increasing potency of future attacks.
We Aim To Please
Several companies, including Outpost 24 in August, have analyzed the sophisticated design of Hive’s RaaS and why it might predict trouble. At the core of this is that the RaaS system is based on a database which links to three separate portals:
- One accessed by the criminal affiliate
- A second accessed by the victim
- A Tor leak portal used to pressure victims into paying not to have their data published
The feature which makes this possible is that Hive has its own API, a programming interface used to connect its elements to one another. According to Outpost 24, this allows a seamless experience, both for the victim as well as the criminal.
For example, on receiving the ransom note, the victim can immediately access the data leak site using unique credentials where they can then interact with their attackers using chat, as well as see how to purchase decryption. The whole process is highly automated—a far cry form the clunky and unreliable systems used by most ransomware actors today.
Another feature of Hive is customer service. Worried about paying a ransom and not receiving your files back? The RaaS has a well-designed helpdesk system for criminals and victims to interact in a sophisticated way to ensure there are no hiccups.
The first effect of a platform such as Hive’s is that it speeds everything up. Attackers can now automate attacks, increasing the number of organizations they can target at one time.
It’s also possible that as more automation is added, the system will be able to conduct multiple types of extortion in an integrated way, for instance file encryption, data leaking, contacting partners, and threatening DDoS, all in a single workflow.
In summary, Hive isn’t simply sophisticated, it is incredibly fast and easy.
Can Hive Be Stopped?
Hive’s one weakness—indeed the biggest weakness of all ransomware groups—is that successful attacks depend heavily on stolen credentials coupled with unpatched vulnerabilities to fuel the RaaS ecosystem.
Uncovering and addressing those issues before the attackers find them will never be easy or cheap, but it might still be a lot easier and cheaper than dealing with the aftermath of a visit by Hive and its friends in the next year.