Hive (ransomware) explained

Hive (also known as the Hive ransomware group) was a ransomware as a service (RaaS) operation carried out by the eponymous cybercrime organization between June 2021 and January 2023. The group's purpose was to attack mainly public institutions to subsequently demand ransom for release of hijacked data.[1]

In January 2023, following a joint US–German investigation involving 13 law enforcement agencies, the United States announced that the FBI had "hacked the hackers" over several months, resulting in seizure of the Hive ransomware group's servers, effectively shuttering the criminal enterprise. The Hive ransomware group had extorted over $100 million from about 1,500 victims in more than 80 countries when dismantled by law enforcement.[2] [3] [4] The investigation continues, with the US State Department adding a $US10 million bounty for information linking Hive ransomware to any foreign government.

Method of operation

Hive employed a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. According to the Federal Bureau of Investigation (FBI), it functioned as affiliate-based ransomware, using multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access, and Remote Desktop Protocol (RDP) once a network was infiltrated.[5] Using locker malware and operating as a RaaS platform,[6] Hive used Double Extortion techniques, in which operators install locker malware to take the data of a victim entity, then encrypt it so that it becomes useless to the victims for conducting business. Group operators then threaten to publish the stolen data on its dark web Tor site – HiveLeaks – unless the ransom is paid. The group has also used "triple extortion" tactics, seeking to extort money from anyone affected by a data disclosure of the victim organization's data.

The Hive mainly targets energy, healthcare, financial, media, and education sectors, and became notorious for attacking and crippling critical infrastructure. According to cybersecurity firm Paloaltonetworks in late 2022, the ransomware drops two batch scripts: hive.bat, which tries to delete itself, then shadow.bat, which deletes any shadow copies of the system. It then adds a .hive extension to encrypted files, along with its ransom note, entitled "HOW_TO_DECRYPT.txt", which lists instructions for preventing data loss. A generated login credential is included to instigate online communications between the victim and Hive hackers, labelled as its "sales department". A Tor link directs the victim to a login page submit the provided credentials, which opens a chat room.[7]

History

Emergence and growing profile

Hive ransomware first became apparent in June 2021.[8] Two months later, ZDNet reported that Hive had attacked at least 28 healthcare organizations in the United States, including clinics and hospitals across Ohio and West Virginia.[9] In August 2021, the FBI released urgent updates warning of the risks from Hive ransomware, as did INCIBE in Spain, the following January. Also in August 2021, the FBI released a flash alert on the Hive ransomware attacks that includes technical details and indicators of compromise associated with the operations of the gang.[5]

In December 2021, Group-IB Threat Intelligence analysts determined that the Hive ransomware group communicated in Russian, though without information regarding its operational location, and that, as of October 16, 2021, at least 355 companies had been victims of Hive ransomware during the previous six months, the majority being in the United States, with ransom obtained from over 100 victims undertaking to regain control of digital infrastructures.[10] [11] Hive's administrator panel showed that its affiliates had breached more than 350 organizations over four months with an average of three companies attacked every day since Hive operations were revealed in late June.[12]

Chainalysis ranked Hive eighth on the list of highest ransomware revenue in February 2022.[13] In July 2022, Malwarebytes ranked Hive as the third-most active ransomware group, noting that the group was evolving and that Microsoft had issued a warning stating that HIVE had upgraded the malware to the Rust programming language, upgrading to a more complex encryption method.

Conti links

See also: Conti (ransomware). According to Advanced Intelligent Systems expert Yelisey Boguslavskiy and BleepingComputer, Hive had links to Conti ransomware group since at least November 2021,[14] with some Hive members working for both groups. According to Boguslavskiy, Hive was actively using the initial attack access provided by Conti.

In May 2022, BleepingComputer reported that Conti had partnered with Hive and several other well-known ransomware gangs, including HelloKitty, AvosLocker, BlackCat and BlackByte,[15] with some of the Conti hackers migrating to these organizations, including Hive,[16] [17] though the rival group[18] has denied having any connection with Conti despite which, once the process of closing operations began and its hackers reached Hive, it then began to employ the tactic of publishing leaked data on the deep web, just as Conti had.[16]

Later in May, Conti announced that they would begin a shutdown process,[19] days after the DOJ announced two indictments of an active Conti operator and Russian national on May 16, 2022,[20] then partnered with Hive to attack the Costa Rica public health service and Costa Rican Social Security Fund (CCSS) the following week.

Unlike the Conti Group, Hive was not associated with direct support for the Russian invasion of Ukraine, even though the ransom payment to Hive is likely to be received by the same people within Conti who claimed the group's collective alignment with the Russian government. Boguslavskiy then told BleepingComputer that evidence of HIVE actively via both the initial attack accesses secured from Conti, and via the services of Conti's pen-testers.[21]

Discovery of vulnerabilities and FBI infiltration

In February 2022, four researchers from Kookmin University in South Korea discovered a vulnerability in the Hive ransomware encryption algorithm, allowing them to obtain the master key and recover hijacked information.[22] [13] In May, a Cisco report indicated that Hive criminals demonstrated low security when revealing operational details, including regarding its encryption process, and employs any and all means to convince its victims to pay, including offering bribes to victims' negotiators after ransom is paid.[23]

In July 2022, the FBI infiltrated Hive. Undercover Tampa, Florida Field Office agents acquired full access and acted as a subsidiary in the Hive network undetected for seven months, while gathering evidence and secretly generating decryption keys for victims to recover their data. The FBI worked with victims to identify Hive's targets, then entered Hive's systems after obtaining court orders and search warrants before eventual seizure of Hive's digital infrastructure,[24] which its members used to communicate and carry out the attacks.[25]

In November 2022, Cybersecurity and Infrastructure Security Agency (CISA) issued a Cybersecurity Advisory detailing Hive ransomware mitigation methods, noting that the group had, since June 2021, then victimized over 1,300 companies globally, and had acquired approximately US$100 million in ransom payments.[26] Two months later, when dismantled by law enforcement, Hive had added 200 more companies as to victims in 80 countries.[3]

Defeat in cyberspace

On January 26, 2023, United States Attorney General Merrick Garland personally announced that, in concert with law enforcement from 13 countries,[27] including Europol and German and Dutch police agencies, Hive had been successfully infiltrated and dismantled through server seizures, after having obtained over 1000 decryption keys, which the agency had provided to 336 victims prior to shuttering the Hive digital infrastructure. The FBI investigation had uncovered two backend computer servers used by the group to store data in Los Angeles, which were seized. Deputy Attorney General Lisa Monaco explained the investigation as having legally "hacked the hackers". FBI director Christopher A. Wray reported that only about 20% of American victim companies had reported the breaches. No ransom proceeds were recovered and no arrests were made. The investigation continues.[28] [29] [30] [25] [31] The same day, the US State Department issued notice of a $US10 million bounty for information linking Hive ransomware to foreign governments, under its Transnational Organized Crime Rewards Program (TOCRP).[32]

2023 arrests

As part of an Europol investigation, on 21 November 2023 Ukraine authorities searched 30 objects in western Ukraine and apprehended 5 men, including the alleged leader of the group, a 32 year old. They confiscated an unspecified amount of bitcoins equivalent to a six-figure amount of euros from one of the suspects. Europol stated that additional suspects were still under investigation.[33]

Attacks

March 2021—CNA Insurance

CNA paid more than $40 million in late March to regain control of its network after a Hive ransomware attack. The Chicago-based company paid the hackers about two weeks after a trove of company data was stolen, and CNA officials were locked out of their network.[34] In 2022, it was reported to be the largest disclosed ransomware payment at that time.

The insurer stated that its investigation concluded that the hackers responsible for the cyberattack were from a group called Phoenix. They had used malware called Phoenix Locker, a variation of the Hades ransomware used by Russian cybercriminal group Evil Corp.[35]

August 2021—Memorial Health System

Memorial Healthcare System was forced to have its hospitals use paper records, cancel procedures, and refer patients to other non-compromised facilities. The organization paid ransom to Hive to regain access to its systems.[9]

April 2022—Microsoft Exchange servers

Investigation by cybersecurity firm revealed, in April 2022, that an affiliate of the Hive ransomware group was targeting Microsoft Exchange servers with vulnerability to ProxyShell security issues, deploying a variety of backdoors, such as Cobalt Strike beacon, subsequently executing network reconnaissance to steal administrator account credentials, exfiltrate valuable data and deploy the file-encrypting payload.[36]

May 2022—Navarre public institutions

Also in May 2022, Hive attacked the Community of Navarra, Spain, forcing a hundred institutions to use pen and paper while systems were recovered.[37] [38]

May 2022—Bank of Zambia

When Hive attacked the Bank of Zambia[39] in May 2022, it refused to pay the ransom, stating that it had means to recover its systems, and posted a link to a dick pic on the extortionists' chat.[40] [41]

May–June 2022—Costa Rica

See main article: 2022 Costa Rican ransomware attack. Conti announced that they would begin a shutdown process days after the DOJ announced its two indictments of an active Conti operator and Russian national on May 16, 2022. After the Conti digital infrastructure was reset on May 19, it became evident that Conti, claiming a goal of overthrowing the government, partnered with Hive to attack the Costa Rica public health service and Costa Rican Social Security Fund (CCSS). On May 31 at about 2:00 am (UTC-6:00), the Costa Rican Social Security Fund (CCSS) detected anomalous information flows in its systems and immediately proceeded to turn off all its critical systems, including the Single Digital Health File (Spanish; Castilian: Expediente Digital Único en Salud, EDUS) and the Centralized Collection System. Some printers in the institution printed messages with random codes or characters,[42] while others printed default instructions from the Hive ransomware group on how to regain access to systems.[43] During the attack, it appeared that Hive alone was responsible for taking down 800 government-run servers and thousands of user terminals.[7] CCSS President Álvaro Ramos Chaves stated that databases with sensitive information were not compromised, though at least 30 of the institution's 1,500 servers had been contaminated with ransomware.

August 2022—Bell Technical Solutions

Bell Canada telecommunications company subsidiary Bell Technical Solutions was attacked by Hive ransomware in August 2022.[44] Hive leaked the company's stolen data.[45]

November 2022—Intersport

Reported in December, Swiss sporting goods maker Intersport, with over 700 outlets, was breached by Hive in November, with details of the breach seen only on the dark web, according to French-language media outlet Numerama. Hive demanded that the company pay an undisclosed amount the same day. A sample file allegedly leaked on the dark web by Hive and scrutinized by Numerama contains passports, payslips, and other personal information regarding Intersport customers, which is seen as common practice among ransomware gangs. Typically, the ransomware gang locks or encrypts all company data prior to threatening to publish it online if ransom demands are not met.[46]

See also

Notes and References

  1. Web site: March 29, 2022 . Hive ransomware group claims to steal California health plan patient data . live . https://web.archive.org/web/20220531202609/https://venturebeat.com/2022/03/29/hive-ransomware-group-claims-to-steal-california-health-plan-patient-data/ . May 31, 2022 . June 15, 2022 . VentureBeat . en-US.
  2. Web site: 2023-01-26 . Office of Public Affairs U.S. Department of Justice Disrupts Hive Ransomware Variant United States Department of Justice . 2023-06-21 . www.justice.gov . en.
  3. Web site: Bushwick . Sophie . FBI Takes Down Hive Criminal Ransomware Group . 2023-06-21 . Scientific American . April 2023 . en.
  4. Web site: US shuts down major ransomware network Hive . 2023-06-21 . www.aljazeera.com . en.
  5. Web site: August 25, 2021 . Indicators of Compromise Associated with Hive Ransomware . live . https://web.archive.org/web/20220524031429/https://www.ic3.gov/Media/News/2021/210825.pdf . May 24, 2022 . June 8, 2023.
  6. Web site: Shakir . Umar . 2023-01-27 . FBI says it "hacked the hackers" of a ransomware service, saving victims $130 million . 2023-06-21 . The Verge . en-US.
  7. Web site: 2022-10-25 . Hive Ransomware Group claims responsibility for Tata Power Data Breach . 2023-06-21 . TimesNow . en.
  8. Web site: September 2, 2021 . FBI issues alert about Hive ransomware . June 7, 2022 . Healthcare IT News . en . May 20, 2022 . https://web.archive.org/web/20220520171002/https://www.healthcareitnews.com/news/fbi-issues-alert-about-hive-ransomware . live .
  9. Web site: FBI releases alert about Hive ransomware after attack on hospital system in Ohio and West Virginia. 2023-06-21 . ZDNET . en.
  10. Web site: December 9, 2021 . Inside the Hive . Group-IB.
  11. Web site: Hive ransomware claims hundreds of victims in 6-month span . live . https://web.archive.org/web/20220605204544/https://www.techtarget.com/searchsecurity/news/252510974/Hive-ransomware-claims-hundreds-of-victims-in-six-month-span . June 5, 2022 . June 7, 2022 . TechTarget.com . en.
  12. Web site: Hive ransomware enters big league with hundreds breached in four months . 2023-06-21 . BleepingComputer . en-us.
  13. Web site: 2022-02-21 . Researchers decrypt Hive ransomware, recover up to 98% of files . 2023-06-21 . The Stack . en.
  14. Web site: FBI: Hive ransomware extorted $100M from over 1,300 victims . 2023-06-21 . BleepingComputer . en-us.
  15. Web site: Conti ransomware shuts down operation, rebrands into smaller units . 2023-06-21 . BleepingComputer . en-us.
  16. Web site: Costa Rica's public health agency hit by Hive ransomware . June 7, 2022 . BleepingComputer . en-us . June 6, 2022 . https://web.archive.org/web/20220606151555/https://www.bleepingcomputer.com/news/security/costa-rica-s-public-health-agency-hit-by-hive-ransomware/ . live .
  17. Web site: Did the Conti ransomware crew orchestrate its own demise? . June 7, 2022 . ComputerWeekly.com . en . May 30, 2022 . https://web.archive.org/web/20220530072439/https://www.computerweekly.com/news/252520524/Did-the-Conti-ransomware-crew-orchestrate-its-own-demise . live .
  18. Web site: Hive Ransomware Shut Down by Law Enforcement Operation; FBI in Possession of Decryption Keys, Group's Public-Facing Website . June 4, 2023 . CPO Magazine.
  19. Web site: Conti Ransomware Operation Shut Down After Brand Becomes Toxic . live . https://web.archive.org/web/20220608090916/https://www.securityweek.com/conti-ransomware-operation-shut-down-after-brand-becomes-toxic . June 8, 2022 . June 15, 2022 . www.securityweek.com. 23 May 2022 .
  20. Web site: 2023-05-16 . District of New Jersey Russian National Charged with Ransomware Attacks Against Critical Infrastructure United States Department of Justice . 2023-06-21 . www.justice.gov . en.
  21. Web site: Hive ransomware claims cyberattack on Bell Canada subsidiary . 2023-06-21 . BleepingComputer . en-us.
  22. A Method for Decrypting Data Infected with Hive Ransomware . 2202.08477 . Kim . Giyoon . Kim . Soram . Kang . Soojin . Kim . Jongsung . 2022 . cs.CR .
  23. Web site: Conti and Hive ransomware operations: Leveraging victim chats for insights. Kendall. McKay. Talos Intelligence . June 8, 2022 . May 31, 2022 . https://web.archive.org/web/20220531201619/https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf?1651576098 . live .
  24. Web site: How the FBI prevented $130 million in crypto ransomware attacks by hacking the hackers behind Hive . 2023-05-22 . Fortune Crypto . en.
  25. News: Lowell . Hugo . 2023-01-26 . US authorities seize servers for Hive ransomware group . en-GB . The Guardian . 2023-06-21 . 0261-3077.
  26. Web site: 2022-11-25 . #StopRansomware: Hive Ransomware CISA . 2023-06-21 . www.cisa.gov . en.
  27. Web site: Glover . Claudia . 2023-01-26 . Hive ransomware gang's infrastructure taken down by the FBI and Europol . 2023-06-21 . Tech Monitor . en-US.
  28. News: 2023-01-26 . 'We Hacked the Hackers': Hive Ransomware Seized in Global Sting . en . Bloomberg.com . 2023-06-21.
  29. News: Menn . Joseph . Stein . Perry . Schaffer . Aaron . 2023-01-26 . FBI shuts down ransomware gang that targeted schools and hospitals . en-US . Washington Post . 2023-06-21 . 0190-8286.
  30. News: Mclaughlin . Jenna . January 26, 2023 . FBI says it 'hacked the hackers' to shut down major ransomware group . National Public Radio . June 21, 2023.
  31. Web site: 2023-01-26 . US, Europol seize Hive ransomware servers and leak sites: 'We hacked the hackers' . 2023-06-21 . SC Media . en.
  32. Web site: US offers $10M bounty for Hive ransomware links to foreign governments . 2023-06-21 . BleepingComputer . en-us.
  33. Web site: Ermittler nehmen mutmaßliche Hacker in der Ukraine fest . 2023-11-28 . tagesschau.de . de.
  34. News: Mehrotra. Kartikay. Turton. William. May 21, 2021. CNA Financial Paid $40 Million in Ransom After March Cyberattack. May 22, 2021. Bloomberg Businessweek.
  35. Web site: CNA pays $40 million ransom to lift malware from its systems . 2023-06-21 . www.insurancebusinessmag.com . en.
  36. Web site: Microsoft Exchange servers hacked to deploy Hive ransomware . 2023-06-21 . BleepingComputer . en-us.
  37. Web site: Otazu . Amaia . May 28, 2022 . Un ataque informático devuelve a la era del papel a 179 entidades navarras . live . https://web.archive.org/web/20220605150255/https://elpais.com/espana/2022-05-28/un-ataque-informatico-devuelve-a-la-era-del-papel-a-179-entidades-navarras.html . June 5, 2022 . June 7, 2022 . El País . es.
  38. Web site: El culpable del hackeo a las webs municipales navarras es el ransomware Hive . live . https://web.archive.org/web/20220530104545/https://www.pamplonaactual.com/articulo/tecnologia/el-culpable-de/20220530124441303052.html . May 30, 2022 . June 7, 2022 . Pamplona Actual . 30 May 2022 . es.
  39. News: May 18, 2022 . Ransomware Attackers Get Short Shrift From Zambian Central Bank . en . Bloomberg.com . June 7, 2022.
  40. Web site: May 25, 2022 . El Banco de Zambia responde con una "fotopolla" a la extorsion de los ciberdelincuentes que les atacaron. . live . https://web.archive.org/web/20220525104752/https://derechodelared.com/banco-de-zambia-respuesta-ransomware/ . May 25, 2022 . June 7, 2022 . derechodelared.com . es.
  41. Web site: National bank hit by ransomware trolls hackers with dick pics . live . https://web.archive.org/web/20220601191402/https://www.bleepingcomputer.com/news/security/national-bank-hit-by-ransomware-trolls-hackers-with-dick-pics/ . June 1, 2022 . June 7, 2022 . BleepingComputer . en-us.
  42. Web site: FOTOS Y VIDEO: Los extraños mensajes de las impresoras de la CCSS tras hackeo . live . https://web.archive.org/web/20220531152013/https://www.crhoy.com/nacionales/fotos-y-video-los-extranos-mensajes-de-las-impresoras-de-la-ccss-tras-hackeo/ . May 31, 2022 . June 8, 2022 . CRHoy.com . es.
  43. Web site: Hive Ransomware Group, el grupo de cibercriminales que atacó la CCSS y tiene predilección por instituciones de salud . live . https://web.archive.org/web/20220531210324/https://delfino.cr/2022/05/hive-ransomware-group-el-grupo-de-cibercriminales-que-ataco-la-ccss-y-tiene-predileccion-por-instituciones-de-salud . May 31, 2022 . June 8, 2022 . delfino.cr . es.
  44. Web site: Hive ransomware claims cyberattack on Bell Canada subsidiary . 2023-07-29 . BleepingComputer . en-us.
  45. Web site: Singh . Carly Page and Jagmeet . 2022-10-25 . Hive ransomware gang leaks data stolen during Tata Power cyberattack . 2023-08-03 . TechCrunch . en-US.
  46. Web site: Black . Damien . Dec 6, 2022 . Hive adds French sports firm to list of victims, local media claims . July 23, 2023 . Cybernews.