The Limited Times

Now you can see non-English news...

How was the fall of Hive, one of the largest ransomware groups in the world, and what does it mean?


The group of cyber criminals encrypted files to extort victims. The techniques they used and their disappearance.

The takedown of


, one of the world's largest ransomware gangs, rocked the cybercrime map: the group had managed to steal data from some 1,500 entities in 80 countries using this type of virus that

encrypts files

to extort money from its victims.



was among their main targets.

After the United States Attorney General, Merrick Garland, announced that they had managed to

seize the servers

and control the site -which was only accessible through the dark web-, different questions began to be triggered.

How did the group fall?

What does its disappearance mean for the growing scene of cybercrime?

Were the victims able to recover the information?

What will happen to the


, that is, the source code they used to encrypt their victims' systems with one of the most widely used ransomware in the world?

Several experts spoke with


to explain the panorama of a phenomenon that, although it began to raise less money than during the pandemic, is expanding throughout the globe:

new strains of ransomware

appear almost daily, with different variants and infiltration methods. in third party systems.

Hive: tactics, techniques and procedures

HiveLeaks, the site where the gang uploaded the published information of its victims.

Photo Hive Site



a Russian-speaking ransomware actor dedicated to

“Big Game Hunting”

: “The term refers to hunting for large game.

They look for victims with the ability to pay a ransom, whether they are large corporations or even



They study their victim financially to find out how much he is trading, what returns he has had in the last year and even what acquisitions he has made, ”explains

Mauro Eldritch

, a threat analyst.

The first Hive operation was detected between May and June 2021;

the last one, in January of this year.

The extortion model they use is that of

Ransomware as a Service



, Ransomware as a Service), "based on an


program where each accomplice obtains between

15% and 20% of the total value

of each ransom that one of their victims pay.

The cost to enter this affiliate program was around $50,000 (BTC).”

Among the most high-profile victims of Hive were

Costa Rica

's public health service (a country that was also hacked by Conti, along with Peru),

India's Tata Power

, German retail giant

Media Markt

, Indonesia's state-owned gas company and various US


groups .

But also local victims, such as Artear, in Argentina, Grupo Konecta and the national branch of

Pan American Energy

, among other


in our country.

Hive's post about Artear, in the middle of last year.

Photo Hive Blog

“Unlike other ransomware groups, Hive has encrypted and extorted health entities such as Consulate Health Care and the Virgen de la Caridad Medical Center,” adds the expert.

As a minimum, they always asked for

at least $200,000

, "with the possibility of a 50% discount for certain affiliates or victims."

As for the more technical aspects, Hive used “various targeted attack techniques to access networks:

brute force hacks

of RDP [Remote Access Protocol], abuse of common applications such as


or Microsoft Exchange,


to obtain credentials” explains

Robert Lipovsky

, ESET's principal threat intelligence researcher.



, the attackers could run the ransomware directly or use a scheduled task or download the information via a



Since they carried out specific attacks for each victim, the attack vector was adjusted depending on the objective”, adds the specialist.

The login used by Hive victims: they were given a username and password to log in and negotiate the payment.

Photo Hive Site

In order to extort, Hive used two of its own sites on the

dark web


This data is relevant because it denotes its own infrastructure (some groups use third-party services such as Anon Files to upload their leaks).

“They used two DLS (Dedicated Leak Sites): the first served as

a negotiation channel

for the victims offering a chat interface, the possibility of decrypting files (to guarantee the victim that the encryption process to which their files were subjected is


), and the possibility of downloading the decrypter once the negotiations are finished”, says Eldritch.

“This site is protected by a login that the victim will receive in the ransom note.

The second site covers those whose

negotiations were not fruitful

, and it is where the data leaked to the victims is published as it happened with Artear ”, she recalls.

How Hive fell: “We hack hackers”

Knowing exactly how a group of cybercriminals falls is difficult, especially when there are no arrests involved (as REvil did at the beginning of last year).

However, both from the FBI and from the expert analysis,

some hypotheses can be reconstructed.

The title left by the United States attorney was forceful:

"We hack hackers."

He was referring to the fact that, since July of last year, the FBI managed to break into the Hive network and capture its encryption keys.

Security analyst Jon DiMaggio did something similar in his Ransomware Diaries with LockBit last month, without seizing servers but gathering valuable information.

“We simply, using

legal means

, hack the hackers,” added Deputy Attorney General Lisa Monaco.

But it was the director of the FBI, Christopher Wray, who shed some light among so much cryptic information: “Last July, the Tampa FBI clandestinely gained permanent access to the Hive control panel and since then, for the last seven months ,

we were able to abuse that access

while Hive didn't know it was being spied on."

Thus, the gang may have unknowingly left a back door open that was exploited by law enforcement.

In this way, the North American security force, in collaboration with Europol and other international units, managed to return information for

130 million dollars in extortions

demanded by Hive.

In total there were 300 keys that were delivered (what is known as "decryption keys", decryption keys) in addition to a

thousand more keys

from previous victims, already exposed by the group on their blog.

The Hive site posted a notice from security forces on January 26.

Photo EFE

Among the reasons why they may have fallen is greed and a thirst for recognition: "Many of these gangs have become very greedy and have also been attacking health organizations and the government, which has

drawn attention

to them." says ESET's Lipovsky.

“These types of actions against ransomware are important, not only because of their impact on the target group, but also because of the information they can provide about other operations in the supply chain, such as



In addition, actions like this

decrease the trust of cybercriminals in each other

, complicating their collaborations”, thinks Brett Callow, a threat analyst at Emsisoft.

The point he makes is key:

there are inmates within the groups

: various researchers have pointed out this as a problem that works against them.

Just remember the


case from last month: an affiliate of the group encrypted a children's hospital with ransomware and the gang came out to apologize.

Thereupon, he returned the data and expelled the perpetrator of the attack.

“Ransomware used to be a very profitable, very low-risk business.

That is no longer true.

Disruptions and lawsuits


combining to decrease profit and increase risk, and over time, hopefully that will have an impact on the level of ransomware activity,” he anticipates.

As of today, both the Hive site and the possibility of contacting them are disabled: "At the moment all Hive communication channels

appear to be silent

," says Eldritch.

"This is

the end of Hive as we knew it

, no doubt, as affiliates and business partners will have lost confidence in the integrity of the ransomware operation," adds Callow, for whom the seizure of the site's infrastructure implies Hive's disappearance.

Ransomware, less profitable but more dangerous

Ransomware gangs are still very active, in a context where, according to CheckPoint, cyberattacks have increased by 38% over the past year.


the net benefit of cybercrime fell

, according to Chainalysis data, from $766 million to $457 million from 2021 to 2022.

Despite this, ransomware gangs have a

high capacity for mutation and survival

, in addition to making attack techniques more complex.

“Over the years, cybercriminals have

honed their levels of extortion

in order to achieve the highest level of ransom payment that the organization can afford,” explains Alejandro Botter, Check Point's engineering manager for southern Latin America.

"The first of the types of extortion (classic) only contemplated re-accessing the data, as of 2019 a

second type of extortion

began to be observed where the attacker also indicated that if it was not paid, confidential information would be published," keep explaining.

"Finally, there is a triple extortion, observed in recent years, where the attacker also pressures close contacts such as customers, employees, and partners, requiring a payment in order not to publish their sensitive data that was extracted from the attacker," it disaggregates. the analyst.

Double and triple extortion in ransomware.

Source CheckPoint Research

Also, just because Hive is down doesn't necessarily mean your code is buried.

Any ransomware code can be reused


The main idea behind RaaS, ransomware-as-a-service, is to keep the master key private, but the key can easily be changed to a new one and the operation can continue on other infrastructure,” warns ESET's Lipovsky.

“Malware code reuse is commonplace, why reinvent the wheel when you can take advantage of previously developed malware?

Just like software developers, cybercriminals love to

reuse code to save time

,” Botter adds.

It is worth remembering that the


code was found, under different guises, going around in different current analyses.

“It is important to consider that ex-members and the structure of important groups have reappeared in new groups.

The ransomware ecosystem continues to evolve and grow with smaller, more agile criminal groups forming to evade law enforcement.

For this reason, although it is considered that groups such as Conti, REvil and DarkSide stopped their operations or were dismantled, it is suspected that part of their structure and former members are still in force”, argues Botter.

"Unfortunately, it is likely that the people behind Hive will resume operations under a new brand," agrees Emsisoft's Callow.

The ransomware scene is alive and moves in a very oxygenated ecosystem. 

LockBit, Black Basta, Black Cat (ALPHV), Royal, BlackByte, Vice Society, BianLian

, are other bands that are still active.

During the end of January, in fact, a new strain called


was registered that is spreading at great speed.

Perhaps, after Hive, some members have already migrated their operations to

new threat actors.

Or, what is also common, they have joined already established ransomware groups.

Options are not lacking.


look also

Hive, one of the world's largest ransomware gangs, is dismantled: "We hack hackers"

Lockbit ransomware gang encrypts children's hospital, apologizes, returns data

Source: clarin

All tech articles on 2023-02-09

You may like

Trends 24h


© Communities 2019 - Privacy

The information on this site is from external sources that are not under our control.
The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.