The takedown of
Hive
, one of the world's largest ransomware gangs, rocked the cybercrime map: the group had managed to steal data from some 1,500 entities in 80 countries using this type of virus that
encrypts files
to extort money from its victims.
Interestingly,
Argentina
was among their main targets.
After the United States Attorney General, Merrick Garland, announced that they had managed to
seize the servers
and control the site -which was only accessible through the dark web-, different questions began to be triggered.
How did the group fall?
What does its disappearance mean for the growing scene of cybercrime?
Were the victims able to recover the information?
What will happen to the
encrypter
, that is, the source code they used to encrypt their victims' systems with one of the most widely used ransomware in the world?
Several experts spoke with
Clarín
to explain the panorama of a phenomenon that, although it began to raise less money than during the pandemic, is expanding throughout the globe:
new strains of ransomware
appear almost daily, with different variants and infiltration methods. in third party systems.
Hive: tactics, techniques and procedures
HiveLeaks, the site where the gang uploaded the published information of its victims.
Photo Hive Site
Hive
is
a Russian-speaking ransomware actor dedicated to
“Big Game Hunting”
: “The term refers to hunting for large game.
They look for victims with the ability to pay a ransom, whether they are large corporations or even
governments
.
They study their victim financially to find out how much he is trading, what returns he has had in the last year and even what acquisitions he has made, ”explains
Mauro Eldritch
, a threat analyst.
The first Hive operation was detected between May and June 2021;
the last one, in January of this year.
The extortion model they use is that of
Ransomware as a Service
(
RaaS
, Ransomware as a Service), "based on an
affiliate
program where each accomplice obtains between
15% and 20% of the total value
of each ransom that one of their victims pay.
The cost to enter this affiliate program was around $50,000 (BTC).”
Among the most high-profile victims of Hive were
Costa Rica
's public health service (a country that was also hacked by Conti, along with Peru),
India's Tata Power
, German retail giant
Media Markt
, Indonesia's state-owned gas company and various US
hospital
groups .
But also local victims, such as Artear, in Argentina, Grupo Konecta and the national branch of
Pan American Energy
, among other
targets
in our country.
Hive's post about Artear, in the middle of last year.
Photo Hive Blog
“Unlike other ransomware groups, Hive has encrypted and extorted health entities such as Consulate Health Care and the Virgen de la Caridad Medical Center,” adds the expert.
As a minimum, they always asked for
at least $200,000
, "with the possibility of a 50% discount for certain affiliates or victims."
As for the more technical aspects, Hive used “various targeted attack techniques to access networks:
brute force hacks
of RDP [Remote Access Protocol], abuse of common applications such as
VPNs
or Microsoft Exchange,
phishing
to obtain credentials” explains
Robert Lipovsky
, ESET's principal threat intelligence researcher.
"Once
infiltrated
, the attackers could run the ransomware directly or use a scheduled task or download the information via a
script
."
Since they carried out specific attacks for each victim, the attack vector was adjusted depending on the objective”, adds the specialist.
The login used by Hive victims: they were given a username and password to log in and negotiate the payment.
Photo Hive Site
In order to extort, Hive used two of its own sites on the
dark web
.
This data is relevant because it denotes its own infrastructure (some groups use third-party services such as Anon Files to upload their leaks).
“They used two DLS (Dedicated Leak Sites): the first served as
a negotiation channel
for the victims offering a chat interface, the possibility of decrypting files (to guarantee the victim that the encryption process to which their files were subjected is
reversible
), and the possibility of downloading the decrypter once the negotiations are finished”, says Eldritch.
“This site is protected by a login that the victim will receive in the ransom note.
The second site covers those whose
negotiations were not fruitful
, and it is where the data leaked to the victims is published as it happened with Artear ”, she recalls.
How Hive fell: “We hack hackers”
Knowing exactly how a group of cybercriminals falls is difficult, especially when there are no arrests involved (as REvil did at the beginning of last year).
However, both from the FBI and from the expert analysis,
some hypotheses can be reconstructed.
The title left by the United States attorney was forceful:
"We hack hackers."
He was referring to the fact that, since July of last year, the FBI managed to break into the Hive network and capture its encryption keys.
Security analyst Jon DiMaggio did something similar in his Ransomware Diaries with LockBit last month, without seizing servers but gathering valuable information.
“We simply, using
legal means
, hack the hackers,” added Deputy Attorney General Lisa Monaco.
But it was the director of the FBI, Christopher Wray, who shed some light among so much cryptic information: “Last July, the Tampa FBI clandestinely gained permanent access to the Hive control panel and since then, for the last seven months ,
we were able to abuse that access
while Hive didn't know it was being spied on."
Thus, the gang may have unknowingly left a back door open that was exploited by law enforcement.
In this way, the North American security force, in collaboration with Europol and other international units, managed to return information for
130 million dollars in extortions
demanded by Hive.
In total there were 300 keys that were delivered (what is known as "decryption keys", decryption keys) in addition to a
thousand more keys
from previous victims, already exposed by the group on their blog.
The Hive site posted a notice from security forces on January 26.
Photo EFE
Among the reasons why they may have fallen is greed and a thirst for recognition: "Many of these gangs have become very greedy and have also been attacking health organizations and the government, which has
drawn attention
to them." says ESET's Lipovsky.
“These types of actions against ransomware are important, not only because of their impact on the target group, but also because of the information they can provide about other operations in the supply chain, such as
brokers
[intermediaries].
In addition, actions like this
decrease the trust of cybercriminals in each other
, complicating their collaborations”, thinks Brett Callow, a threat analyst at Emsisoft.
The point he makes is key:
there are inmates within the groups
: various researchers have pointed out this as a problem that works against them.
Just remember the
LockBit
case from last month: an affiliate of the group encrypted a children's hospital with ransomware and the gang came out to apologize.
Thereupon, he returned the data and expelled the perpetrator of the attack.
“Ransomware used to be a very profitable, very low-risk business.
That is no longer true.
Disruptions and lawsuits
are
combining to decrease profit and increase risk, and over time, hopefully that will have an impact on the level of ransomware activity,” he anticipates.
As of today, both the Hive site and the possibility of contacting them are disabled: "At the moment all Hive communication channels
appear to be silent
," says Eldritch.
"This is
the end of Hive as we knew it
, no doubt, as affiliates and business partners will have lost confidence in the integrity of the ransomware operation," adds Callow, for whom the seizure of the site's infrastructure implies Hive's disappearance.
Ransomware, less profitable but more dangerous
Ransomware gangs are still very active, in a context where, according to CheckPoint, cyberattacks have increased by 38% over the past year.
However,
the net benefit of cybercrime fell
, according to Chainalysis data, from $766 million to $457 million from 2021 to 2022.
Despite this, ransomware gangs have a
high capacity for mutation and survival
, in addition to making attack techniques more complex.
“Over the years, cybercriminals have
honed their levels of extortion
in order to achieve the highest level of ransom payment that the organization can afford,” explains Alejandro Botter, Check Point's engineering manager for southern Latin America.
"The first of the types of extortion (classic) only contemplated re-accessing the data, as of 2019 a
second type of extortion
began to be observed where the attacker also indicated that if it was not paid, confidential information would be published," keep explaining.
"Finally, there is a triple extortion, observed in recent years, where the attacker also pressures close contacts such as customers, employees, and partners, requiring a payment in order not to publish their sensitive data that was extracted from the attacker," it disaggregates. the analyst.
Double and triple extortion in ransomware.
Source CheckPoint Research
Also, just because Hive is down doesn't necessarily mean your code is buried.
“
Any ransomware code can be reused
.
The main idea behind RaaS, ransomware-as-a-service, is to keep the master key private, but the key can easily be changed to a new one and the operation can continue on other infrastructure,” warns ESET's Lipovsky.
“Malware code reuse is commonplace, why reinvent the wheel when you can take advantage of previously developed malware?
Just like software developers, cybercriminals love to
reuse code to save time
,” Botter adds.
It is worth remembering that the
REvil
code was found, under different guises, going around in different current analyses.
“It is important to consider that ex-members and the structure of important groups have reappeared in new groups.
The ransomware ecosystem continues to evolve and grow with smaller, more agile criminal groups forming to evade law enforcement.
For this reason, although it is considered that groups such as Conti, REvil and DarkSide stopped their operations or were dismantled, it is suspected that part of their structure and former members are still in force”, argues Botter.
"Unfortunately, it is likely that the people behind Hive will resume operations under a new brand," agrees Emsisoft's Callow.
The ransomware scene is alive and moves in a very oxygenated ecosystem.
LockBit, Black Basta, Black Cat (ALPHV), Royal, BlackByte, Vice Society, BianLian
, are other bands that are still active.
During the end of January, in fact, a new strain called
Nevada
was registered that is spreading at great speed.
Perhaps, after Hive, some members have already migrated their operations to
new threat actors.
Or, what is also common, they have joined already established ransomware groups.
Options are not lacking.
SL
look also
Hive, one of the world's largest ransomware gangs, is dismantled: "We hack hackers"
Lockbit ransomware gang encrypts children's hospital, apologizes, returns data